Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10ec4f09f82d...d3.exe
windows10-2004-x64
10efd97b1038...ea4.js
windows10-2004-x64
3emotet_exe...04.exe
windows10-2004-x64
10emotet_exe...23.exe
windows10-2004-x64
10eupdate.exe
windows10-2004-x64
7f4f47c67be...3f.exe
windows10-2004-x64
10fb5d110ced...9c.exe
windows10-2004-x64
6fee15285c3...35.exe
windows10-2004-x64
10file(1).exe
windows10-2004-x64
1file.exe
windows10-2004-x64
7gjMEi6eG.exe
windows10-2004-x64
10good.exe
windows10-2004-x64
10hyundai st...1).exe
windows10-2004-x64
10hyundai st...10.exe
windows10-2004-x64
10infected d...er.exe
windows10-2004-x64
10inps_979.xls
windows10-2004-x64
1jar.jar
windows10-2004-x64
10june9.dll
windows10-2004-x64
10mouse_2.exe
windows10-2004-x64
10oof.exe
windows10-2004-x64
3openme.exe
windows10-2004-x64
10ou55sg33s_1.exe
windows10-2004-x64
10senate.dll
windows10-2004-x64
10starticon3.exe
windows10-2004-x64
10str.dll
windows10-2004-x64
10svchost.exe
windows10-2004-x64
10update.exe
windows10-2004-x64
10vir1.xlsx
windows10-2004-x64
1wwf[1].exe
windows10-2004-x64
10xNet.dll
windows10-2004-x64
1전산 및...��.exe
windows10-2004-x64
10전산 및...�1.exe
windows10-2004-x64
10Analysis
-
max time kernel
91s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/12/2024, 19:31
Static task
static1
Behavioral task
behavioral1
Sample
ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
emotet_exe_e1_ef536781ae8be4b67a7fb8aa562d84994ad250d97d5606115b6f4e6e2992363f_2020-11-17__174504.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
emotet_exe_e3_93074e9fbde60e4182f5d763bac7762f2d4e2fcf9baf457b6f12e7696b3562c1_2020-11-17__182823.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
eupdate.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral6
Sample
f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral8
Sample
fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d35.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
file(1).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral10
Sample
file.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
gjMEi6eG.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral12
Sample
good.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
hyundai steel-pipe- job 8010(1).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral14
Sample
hyundai steel-pipe- job 8010.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
infected dot net installer.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral16
Sample
inps_979.xls
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
jar.jar
Resource
win10v2004-20241007-en
Behavioral task
behavioral18
Sample
june9.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
mouse_2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral20
Sample
oof.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
openme.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral22
Sample
ou55sg33s_1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
senate.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral24
Sample
starticon3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
str.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral26
Sample
svchost.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
update.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral28
Sample
vir1.xlsx
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
wwf[1].exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral30
Sample
xNet.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral32
Sample
전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe
Resource
win10v2004-20241007-en
General
-
Target
wwf[1].exe
-
Size
2.3MB
-
MD5
f18334d87221ecb0fb12405814c21912
-
SHA1
2875140558c0c17a259ff2d731e5e4a0a823108a
-
SHA256
0263c76856472535f8441f582dac011dbf52f965086f9e59a6930c00b2106073
-
SHA512
fa96425f2402803b7c34ea27211c33257224f65966cb42c651fa688bc131bbae6dbf7fc743eb055398fc2e4a0841a17ff31097346c4666ba39607e974c22ae2d
-
SSDEEP
49152:jUEJpE+TT7TDGBcuHsi7Ly2Cr2SRtgbR9iTp1woifnUWtMbuIJ0y:jBnE+TT/DGTHs8yVr2n99iTpiXfnUWtS
Malware Config
Extracted
zloader
bot7
bot7
https://militanttra.at/owg.php
-
build_id
18
Signatures
-
Zloader family
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Egnuhu = "C:\\Users\\Admin\\AppData\\Roaming\\Idiq\\waytol.exe" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4572 set thread context of 4280 4572 wwf[1].exe 90 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wwf[1].exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 4280 msiexec.exe Token: SeSecurityPrivilege 4280 msiexec.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4572 wrote to memory of 4280 4572 wwf[1].exe 90 PID 4572 wrote to memory of 4280 4572 wwf[1].exe 90 PID 4572 wrote to memory of 4280 4572 wwf[1].exe 90 PID 4572 wrote to memory of 4280 4572 wwf[1].exe 90 PID 4572 wrote to memory of 4280 4572 wwf[1].exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\wwf[1].exe"C:\Users\Admin\AppData\Local\Temp\wwf[1].exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4280
-