Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
110s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/12/2024, 18:59
Static task
static1
Behavioral task
behavioral1
Sample
31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe
Resource
win7-20240903-en
General
-
Target
31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe
-
Size
165KB
-
MD5
cd0e91bba7713d1a7c66d50c4f9aed90
-
SHA1
fc4dde2537881ce341b8054fe64a9659a235bfaa
-
SHA256
31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095
-
SHA512
2a1eb564056bb3ea26d4ec36ba1c88482ec7fb26b788dbcde7389f654400403519d0d9c82ec544694e668ddbebba0b3a28ca4e70bf0e452764a6b5ada50615a5
-
SSDEEP
3072:EfkfcHxa/ZrtSBnZ+k2/d7V2g855t1dRTvydaDgA+XtZ4X:akfcHxaRhS7+kId/85zLRxgAiZ4
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral2/memory/2928-18-0x0000000000400000-0x0000000000445000-memory.dmp family_cycbot behavioral2/memory/2520-19-0x0000000000400000-0x0000000000445000-memory.dmp family_cycbot behavioral2/memory/2520-72-0x0000000000400000-0x0000000000445000-memory.dmp family_cycbot behavioral2/memory/1344-75-0x0000000000400000-0x0000000000445000-memory.dmp family_cycbot behavioral2/memory/2520-184-0x0000000000400000-0x0000000000445000-memory.dmp family_cycbot -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe" 31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe -
resource yara_rule behavioral2/memory/2520-1-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral2/memory/2928-17-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral2/memory/2928-18-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral2/memory/2520-19-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral2/memory/2520-72-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral2/memory/1344-74-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral2/memory/1344-75-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral2/memory/2520-184-0x0000000000400000-0x0000000000445000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2520 wrote to memory of 2928 2520 31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe 84 PID 2520 wrote to memory of 2928 2520 31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe 84 PID 2520 wrote to memory of 2928 2520 31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe 84 PID 2520 wrote to memory of 1344 2520 31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe 85 PID 2520 wrote to memory of 1344 2520 31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe 85 PID 2520 wrote to memory of 1344 2520 31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe"C:\Users\Admin\AppData\Local\Temp\31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exeC:\Users\Admin\AppData\Local\Temp\31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:2928
-
-
C:\Users\Admin\AppData\Local\Temp\31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exeC:\Users\Admin\AppData\Local\Temp\31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:1344
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5307c49262d13e33386fc157b72571ca4
SHA1c0ff90e2942312119bf8e511e58d71ff0f29b8da
SHA256fd739d20683d941173009e1c867dae81f1cc33586341fff900519928e69eed6b
SHA512aeb233baa4bb88a9f5111d4dd0eec781588f8a930d6771daaf089e02ec108f2d71c3ff3eeb1b9e7db0cfc994cb53803e89453b5c47cb16c1525d1a8a8b6dea22
-
Filesize
897B
MD59ed8d85c4687b5da8da0adc74049771d
SHA14a37c7b4aac3167680b688ea7d904c3c9b10543b
SHA25688ed9921bde8746306cfe34512f764e8591905934b1444693f4dc5368f507dc6
SHA512d096693ad2d5058553ee6033595a4baac40a7db3dfef025bf86fa8c5504995f533725a94a759457d0ab2baf11242245725d524f43f6bc29abd5e42e3b6876a4f
-
Filesize
1KB
MD5633c7ac80a09523c4d52711651025bff
SHA1b8054fa6a035274756c8906895b9d46e77acb4f4
SHA2562a895c528bfc05e56aab02467b891665f2fd03dc17ef59fc83bb6e39b78ecd3a
SHA512afefb23ddb220d7049c8d786d22f2043178c6fd5a60e87f56537fbf17fa7b39af65b5fca8b87e04de8437cc019e2668488458daf966a8e2c9a5deea5631805b2
-
Filesize
597B
MD53e8c2045570149b2003e090d0624e200
SHA1f39996dfde1340d76262f6975c72c3dfac773037
SHA25659f8ca440d8b52b33a434db5e5bf90336972afada2ef542bb9704b07dd74c3e7
SHA512ac57465e72bad48fcb262ffb3e8d90a4eae589511950695e653693f71be12275b33b5207165fe61b620d8b611bb73c27ac46e8827df7205c96e1dc491fc694be