Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2024, 03:49
Behavioral task
behavioral1
Sample
e785e87f0e16a7b52ec8a725dcb048e6310532c9c535dfef70b0d969a4dd85ab.exe
Resource
win7-20240708-en
General
-
Target
e785e87f0e16a7b52ec8a725dcb048e6310532c9c535dfef70b0d969a4dd85ab.exe
-
Size
6.1MB
-
MD5
48978e12606c69a14525441154e7bfd5
-
SHA1
7402deebde1bb439be4c938458f9139ff8ba16ce
-
SHA256
e785e87f0e16a7b52ec8a725dcb048e6310532c9c535dfef70b0d969a4dd85ab
-
SHA512
08f7389f19c51b0070c87a129068867cdb1ea24d768ed29001796290182fa1fcb9a3a9a1fc1cd22c49ff251e0366f5dd380ddac7c64e08a2851f8cea287fe9f1
-
SSDEEP
98304:dSPwB+aOipCWBR6K4OIiGMprhRp8kBdQ9UEUvQxXf1tpqinVruk:vB+aOiDUKzDrhQLZK0f1tQpk
Malware Config
Extracted
laplas
clipper.guru
-
api_key
7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e
Signatures
-
Laplas family
-
Executes dropped EXE 1 IoCs
pid Process 2532 wWafNGtsey.exe -
resource yara_rule behavioral2/memory/4624-8-0x0000000000EC0000-0x0000000001C1E000-memory.dmp vmprotect behavioral2/memory/2532-21-0x0000000000CE0000-0x0000000001A3E000-memory.dmp vmprotect behavioral2/memory/2532-22-0x0000000000CE0000-0x0000000001A3E000-memory.dmp vmprotect behavioral2/memory/2532-26-0x0000000000CE0000-0x0000000001A3E000-memory.dmp vmprotect -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wWafNGtsey.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e785e87f0e16a7b52ec8a725dcb048e6310532c9c535dfef70b0d969a4dd85ab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4124 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4624 e785e87f0e16a7b52ec8a725dcb048e6310532c9c535dfef70b0d969a4dd85ab.exe 4624 e785e87f0e16a7b52ec8a725dcb048e6310532c9c535dfef70b0d969a4dd85ab.exe 2532 wWafNGtsey.exe 2532 wWafNGtsey.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4624 wrote to memory of 3480 4624 e785e87f0e16a7b52ec8a725dcb048e6310532c9c535dfef70b0d969a4dd85ab.exe 82 PID 4624 wrote to memory of 3480 4624 e785e87f0e16a7b52ec8a725dcb048e6310532c9c535dfef70b0d969a4dd85ab.exe 82 PID 4624 wrote to memory of 3480 4624 e785e87f0e16a7b52ec8a725dcb048e6310532c9c535dfef70b0d969a4dd85ab.exe 82 PID 3480 wrote to memory of 4124 3480 cmd.exe 84 PID 3480 wrote to memory of 4124 3480 cmd.exe 84 PID 3480 wrote to memory of 4124 3480 cmd.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\e785e87f0e16a7b52ec8a725dcb048e6310532c9c535dfef70b0d969a4dd85ab.exe"C:\Users\Admin\AppData\Local\Temp\e785e87f0e16a7b52ec8a725dcb048e6310532c9c535dfef70b0d969a4dd85ab.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\cmd.execmd.exe /C schtasks /create /tn yhaPqplDUY /tr C:\Users\Admin\AppData\Roaming\yhaPqplDUY\wWafNGtsey.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn yhaPqplDUY /tr C:\Users\Admin\AppData\Roaming\yhaPqplDUY\wWafNGtsey.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4124
-
-
-
C:\Users\Admin\AppData\Roaming\yhaPqplDUY\wWafNGtsey.exeC:\Users\Admin\AppData\Roaming\yhaPqplDUY\wWafNGtsey.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2532