Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
13/11/2024, 01:52
General
-
Target
RFQ_HYU-241002863 SQ-242000846그리고 PO-248000263.exe
-
Size
1.7MB
-
MD5
1d572147e37c4766851afec9c30aacf9
-
SHA1
cee9e2191859ccbbb259329684bd1849056a3622
-
SHA256
6177136bd2ab5a59885aed70a333b5b59885bc9457bd36a98f176f6d26c8b530
-
SHA512
24f30d63ff61f729af2f84558b5f42778921be921706e182cbf58aa12637c44bc3967ec8e29583924791724b1af54db697a22bea4b8a02bede1cb21ed9f453c5
-
SSDEEP
49152:7JZoQrbTFZY1iaC3q3z8JFExUq4IoBNA13:7trbTA1Xz8EPTx13
Malware Config
Signatures
-
Drops startup file 1 IoCs
-
Executes dropped EXE 1 IoCs
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ_HYU-241002863 SQ-242000846그리고 PO-248000263.exe"C:\Users\Admin\AppData\Local\Temp\RFQ_HYU-241002863 SQ-242000846그리고 PO-248000263.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Keily\leucoryx.exe"C:\Users\Admin\AppData\Local\Temp\RFQ_HYU-241002863 SQ-242000846그리고 PO-248000263.exe"2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\RFQ_HYU-241002863 SQ-242000846그리고 PO-248000263.exe"3⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 7563⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3728 -ip 37281⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD51d572147e37c4766851afec9c30aacf9
SHA1cee9e2191859ccbbb259329684bd1849056a3622
SHA2566177136bd2ab5a59885aed70a333b5b59885bc9457bd36a98f176f6d26c8b530
SHA51224f30d63ff61f729af2f84558b5f42778921be921706e182cbf58aa12637c44bc3967ec8e29583924791724b1af54db697a22bea4b8a02bede1cb21ed9f453c5
-
Filesize
1.5MB
MD5fa426b72f63fd9287636e7e4ba1e0483
SHA1376d7665be7ba5a0676647d2c0ea053b741722bb
SHA256c7ba59a9365363ac2b0e0816073c8bab9f70ce8493fed74e8078a589cf82fd42
SHA51240738a48fefa98abac626951b7f741fb0b05c578454c1227cde14b048ef5765930fc52dcf018b1cac5f693c195bf5a0bb46d9dd9c1479e7528cafb5f551b53b8
-
Filesize
140KB
MD5a939bf44771dcb9e74e043255059a6ad
SHA1aa5434381ba69b69acec1715a5eaf8f78bd694fb
SHA25656ff08e6c414a9704e2fb8666cf3a5e628453fc4493e84bc88614490c674c335
SHA51225037b30c80b05fec07f59ff7d870ec8bc85c85086b21cb7a923c31021860354b7e699b3d0feb74837372e3253c2e2380de81fefc30637d6a5e9ef5b9b23be1a
-
Filesize
1024KB
-
Filesize
1024KB