Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    110s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/12/2024, 18:59

General

  • Target

    31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe

  • Size

    165KB

  • MD5

    cd0e91bba7713d1a7c66d50c4f9aed90

  • SHA1

    fc4dde2537881ce341b8054fe64a9659a235bfaa

  • SHA256

    31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095

  • SHA512

    2a1eb564056bb3ea26d4ec36ba1c88482ec7fb26b788dbcde7389f654400403519d0d9c82ec544694e668ddbebba0b3a28ca4e70bf0e452764a6b5ada50615a5

  • SSDEEP

    3072:EfkfcHxa/ZrtSBnZ+k2/d7V2g855t1dRTvydaDgA+XtZ4X:akfcHxaRhS7+kId/85zLRxgAiZ4

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 5 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe
    "C:\Users\Admin\AppData\Local\Temp\31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Users\Admin\AppData\Local\Temp\31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe
      C:\Users\Admin\AppData\Local\Temp\31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2928
    • C:\Users\Admin\AppData\Local\Temp\31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe
      C:\Users\Admin\AppData\Local\Temp\31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1344

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\C915.BE5

    Filesize

    1KB

    MD5

    307c49262d13e33386fc157b72571ca4

    SHA1

    c0ff90e2942312119bf8e511e58d71ff0f29b8da

    SHA256

    fd739d20683d941173009e1c867dae81f1cc33586341fff900519928e69eed6b

    SHA512

    aeb233baa4bb88a9f5111d4dd0eec781588f8a930d6771daaf089e02ec108f2d71c3ff3eeb1b9e7db0cfc994cb53803e89453b5c47cb16c1525d1a8a8b6dea22

  • C:\Users\Admin\AppData\Roaming\C915.BE5

    Filesize

    897B

    MD5

    9ed8d85c4687b5da8da0adc74049771d

    SHA1

    4a37c7b4aac3167680b688ea7d904c3c9b10543b

    SHA256

    88ed9921bde8746306cfe34512f764e8591905934b1444693f4dc5368f507dc6

    SHA512

    d096693ad2d5058553ee6033595a4baac40a7db3dfef025bf86fa8c5504995f533725a94a759457d0ab2baf11242245725d524f43f6bc29abd5e42e3b6876a4f

  • C:\Users\Admin\AppData\Roaming\C915.BE5

    Filesize

    1KB

    MD5

    633c7ac80a09523c4d52711651025bff

    SHA1

    b8054fa6a035274756c8906895b9d46e77acb4f4

    SHA256

    2a895c528bfc05e56aab02467b891665f2fd03dc17ef59fc83bb6e39b78ecd3a

    SHA512

    afefb23ddb220d7049c8d786d22f2043178c6fd5a60e87f56537fbf17fa7b39af65b5fca8b87e04de8437cc019e2668488458daf966a8e2c9a5deea5631805b2

  • C:\Users\Admin\AppData\Roaming\C915.BE5

    Filesize

    597B

    MD5

    3e8c2045570149b2003e090d0624e200

    SHA1

    f39996dfde1340d76262f6975c72c3dfac773037

    SHA256

    59f8ca440d8b52b33a434db5e5bf90336972afada2ef542bb9704b07dd74c3e7

    SHA512

    ac57465e72bad48fcb262ffb3e8d90a4eae589511950695e653693f71be12275b33b5207165fe61b620d8b611bb73c27ac46e8827df7205c96e1dc491fc694be

  • memory/1344-75-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

  • memory/1344-74-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

  • memory/2520-19-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

  • memory/2520-72-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

  • memory/2520-1-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

  • memory/2520-184-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

  • memory/2928-18-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

  • memory/2928-17-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

  • memory/2928-16-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB