Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26/11/2024, 18:24
Behavioral task
behavioral1
Sample
FNTDEZE.exe
Resource
win7-20241010-en
General
-
Target
FNTDEZE.exe
-
Size
10.2MB
-
MD5
4a6029621511b1ee7e9dbaabeebeb2cb
-
SHA1
06e9648914e177827d4624dbf1fd63fdaf666411
-
SHA256
a9ac0b1d8a4f8a61d621bec622f4f6b13c7b66f2ed009cd90aebb2a7727da228
-
SHA512
71fbfc2acbdde34a5adf15d3e4dc99d6fd2f667013ba506652f0cb543fa0550148e7277ad706bfa65f552a652b2c9104ca7f7e8c2e6706d45bfa922b828560e4
-
SSDEEP
196608:Ein3DxOpJlXC4NmNumGOEJohaDjx4a0FAwYxM44BXVhs8yaqbvYY:VnTxOpJUi/raMjm2BP4Dhs8sY
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000500000001c780-45.dat acprotect -
Loads dropped DLL 1 IoCs
pid Process 2832 FNTDEZE.exe -
resource yara_rule behavioral1/files/0x000500000001c780-45.dat upx behavioral1/memory/2832-47-0x0000000074870000-0x0000000074CF2000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FNTDEZE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FNTDEZE.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2392 wrote to memory of 2832 2392 FNTDEZE.exe 30 PID 2392 wrote to memory of 2832 2392 FNTDEZE.exe 30 PID 2392 wrote to memory of 2832 2392 FNTDEZE.exe 30 PID 2392 wrote to memory of 2832 2392 FNTDEZE.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\FNTDEZE.exe"C:\Users\Admin\AppData\Local\Temp\FNTDEZE.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\FNTDEZE.exe"C:\Users\Admin\AppData\Local\Temp\FNTDEZE.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2832
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD57cd78961972c635bbe49b29bb86e5726
SHA15677a224e3b1c27ffd05a6ccea6ffcbbdb42b3ef
SHA256e99fc9e98f769b903473ba46ab4a6019df3126d8d40184c369a91fdeb5a336ca
SHA5120dca58bea7a0297bbe7166b908ce4f6b2e0a85586492c3ba7f4aa8c75e12d3ca854040426a674ba5f75c2f53d407accda5ced56ce7166ca9a6ef40a1857ca145