Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
06/12/2024, 21:58
Behavioral task
behavioral1
Sample
419b12306819bde9533910fddbfbd2ccde5d25d7afb861a9de5ebe410f4f8142.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
419b12306819bde9533910fddbfbd2ccde5d25d7afb861a9de5ebe410f4f8142.exe
Resource
win10v2004-20241007-en
General
-
Target
419b12306819bde9533910fddbfbd2ccde5d25d7afb861a9de5ebe410f4f8142.exe
-
Size
29KB
-
MD5
37f36b4d3c2b5ceb1d76d424bbc6681a
-
SHA1
4bb9567a63072b61ceca92fe49e2ac6cd4ac6903
-
SHA256
419b12306819bde9533910fddbfbd2ccde5d25d7afb861a9de5ebe410f4f8142
-
SHA512
f73dcd2ca0671079215672bae7d7a694b9cb4786bbe09016288141592dec1cbaa743de47ce1bb7155d74a7023b8af186c1c269388ba0b02c6f754b9c4217575d
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/2:AEwVs+0jNDY1qi/qu
Malware Config
Signatures
-
Detects MyDoom family 2 IoCs
resource yara_rule behavioral1/memory/2200-17-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral1/memory/2200-57-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom -
Mydoom family
-
Executes dropped EXE 1 IoCs
pid Process 2024 services.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 419b12306819bde9533910fddbfbd2ccde5d25d7afb861a9de5ebe410f4f8142.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
resource yara_rule behavioral1/memory/2200-0-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/files/0x0008000000015cb6-10.dat upx behavioral1/memory/2024-11-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2200-17-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2024-21-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2024-22-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2024-27-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2024-32-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2024-34-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2024-39-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2024-44-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2024-46-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2024-51-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2024-56-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2200-57-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2024-58-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2024-63-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/files/0x0005000000004ed7-73.dat upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\services.exe 419b12306819bde9533910fddbfbd2ccde5d25d7afb861a9de5ebe410f4f8142.exe File opened for modification C:\Windows\java.exe 419b12306819bde9533910fddbfbd2ccde5d25d7afb861a9de5ebe410f4f8142.exe File created C:\Windows\java.exe 419b12306819bde9533910fddbfbd2ccde5d25d7afb861a9de5ebe410f4f8142.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 419b12306819bde9533910fddbfbd2ccde5d25d7afb861a9de5ebe410f4f8142.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2200 wrote to memory of 2024 2200 419b12306819bde9533910fddbfbd2ccde5d25d7afb861a9de5ebe410f4f8142.exe 30 PID 2200 wrote to memory of 2024 2200 419b12306819bde9533910fddbfbd2ccde5d25d7afb861a9de5ebe410f4f8142.exe 30 PID 2200 wrote to memory of 2024 2200 419b12306819bde9533910fddbfbd2ccde5d25d7afb861a9de5ebe410f4f8142.exe 30 PID 2200 wrote to memory of 2024 2200 419b12306819bde9533910fddbfbd2ccde5d25d7afb861a9de5ebe410f4f8142.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\419b12306819bde9533910fddbfbd2ccde5d25d7afb861a9de5ebe410f4f8142.exe"C:\Users\Admin\AppData\Local\Temp\419b12306819bde9533910fddbfbd2ccde5d25d7afb861a9de5ebe410f4f8142.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2024
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD56690c99acc1e7a6cc9f4f89cd1a8a1de
SHA1bf6a9652caa76438ccf1722ef494a82b2261e364
SHA25629c9ab331491d0f30d41626b7d0d7da1ceaef25ead2a4fd2603d458c826ea997
SHA5127fc89d6a68a170b5f66c867f028e26cbd4053e9e0b7f9227cb138184dd92f0b58b50c78f9a2ac01e3b95574126abf20347ba3a0a9bc488b886f04fd05ea0a951
-
Filesize
320B
MD531329dd2deb36c0a7dd30f104163c0e7
SHA1acca08509872b25904ec7cd99a2b93660819cfd0
SHA256e8f97e1106bf55d1633dc533fd8a0e7eabd2a32abd9be52ff2e689b34999287e
SHA51207c967822f7c60aa5dfcbda71d99bd95305a0c0f830af967fcb6fa81c40517432233e68ec89573a5e50fb0aeb186b7cd0df00fcb7a18829fde7534c480b9311d
-
Filesize
320B
MD5e11379126cf6675dd304ccdbeb84420d
SHA18f9820186473354093fecde26358cded363084c1
SHA2568b2384cc08ae8b4cb4862eb218835dd2b406c48b2f911f84de42cc51758bc941
SHA512cb821cdcb2285cee38238e628d6c4efd47072a1201b3e5d19bd70ff6cb00430a0d470eef15a18ea1ec4b77172273c880761f5f6f775dd2f8b516b175ee197829
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2