Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

01/03/2025, 18:58

250301-xmhhrayp15 10

01/03/2025, 18:55

250301-xkqrcaypx7 10

Analysis

  • max time kernel
    91s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/12/2024, 19:31

General

  • Target

    wwf[1].exe

  • Size

    2.3MB

  • MD5

    f18334d87221ecb0fb12405814c21912

  • SHA1

    2875140558c0c17a259ff2d731e5e4a0a823108a

  • SHA256

    0263c76856472535f8441f582dac011dbf52f965086f9e59a6930c00b2106073

  • SHA512

    fa96425f2402803b7c34ea27211c33257224f65966cb42c651fa688bc131bbae6dbf7fc743eb055398fc2e4a0841a17ff31097346c4666ba39607e974c22ae2d

  • SSDEEP

    49152:jUEJpE+TT7TDGBcuHsi7Ly2Cr2SRtgbR9iTp1woifnUWtMbuIJ0y:jBnE+TT/DGTHs8yVr2n99iTpiXfnUWtS

Malware Config

Extracted

Family

zloader

Botnet

bot7

Campaign

bot7

C2

https://militanttra.at/owg.php

Attributes
  • build_id

    18

rc4.plain
rsa_pubkey.plain

Signatures

  • Zloader family
  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\wwf[1].exe
    "C:\Users\Admin\AppData\Local\Temp\wwf[1].exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4572
    • C:\Windows\SysWOW64\msiexec.exe
      msiexec.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4280

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4280-10-0x0000000000A40000-0x0000000000A6C000-memory.dmp

    Filesize

    176KB

  • memory/4280-14-0x0000000000A40000-0x0000000000A6C000-memory.dmp

    Filesize

    176KB

  • memory/4280-15-0x0000000000A40000-0x0000000000A6C000-memory.dmp

    Filesize

    176KB

  • memory/4572-0-0x0000000000533000-0x0000000000536000-memory.dmp

    Filesize

    12KB

  • memory/4572-1-0x0000000000340000-0x000000000058C000-memory.dmp

    Filesize

    2.3MB

  • memory/4572-2-0x0000000000340000-0x000000000058C000-memory.dmp

    Filesize

    2.3MB

  • memory/4572-4-0x0000000000533000-0x0000000000536000-memory.dmp

    Filesize

    12KB

  • memory/4572-12-0x0000000000340000-0x000000000058C000-memory.dmp

    Filesize

    2.3MB