Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2024, 13:35
Static task
static1
Behavioral task
behavioral1
Sample
jeetss456352.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
jeetss456352.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
isktuabvmv.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
isktuabvmv.exe
Resource
win10v2004-20241007-en
General
-
Target
jeetss456352.exe
-
Size
214KB
-
MD5
dafccfe6911e74fd47cf1461e3580ed1
-
SHA1
b84783ab8d2c044c9a4cf2765831fd776f220c64
-
SHA256
8d203db46294994fba62e63ddaf99b53c5b8abf2e407f7ee516f5df1d44cc1af
-
SHA512
4093bbdb3f57b7dff3d6f5e699698c303c9a79cb74bba23778241ea3b8bd12e380ab034065a3f1ff306638346fce69dc8dbc4461983b3cc6c6a95e8a2386c4ab
-
SSDEEP
3072:qUJoFfWzzl+cSM9BPmuGky8vtGAxeVbzb0kA5nyq956rosqcqXMZdQLfl7Z2JwQo:qweEp9Nmj84AuTqNvGr3qbXrLX2CO4T
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3720 isktuabvmv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4160 3720 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jeetss456352.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language isktuabvmv.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1876 wrote to memory of 3720 1876 jeetss456352.exe 83 PID 1876 wrote to memory of 3720 1876 jeetss456352.exe 83 PID 1876 wrote to memory of 3720 1876 jeetss456352.exe 83 PID 3720 wrote to memory of 4924 3720 isktuabvmv.exe 85 PID 3720 wrote to memory of 4924 3720 isktuabvmv.exe 85 PID 3720 wrote to memory of 4924 3720 isktuabvmv.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\jeetss456352.exe"C:\Users\Admin\AppData\Local\Temp\jeetss456352.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\isktuabvmv.exe"C:\Users\Admin\AppData\Local\Temp\isktuabvmv.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Users\Admin\AppData\Local\Temp\isktuabvmv.exe"C:\Users\Admin\AppData\Local\Temp\isktuabvmv.exe"3⤵PID:4924
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 6443⤵
- Program crash
PID:4160
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3720 -ip 37201⤵PID:1156
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD54debf3d4be3833c81372eab33bcc8f99
SHA13c01f72309070804bda00f0545ba92dc32635d36
SHA256a5a20c3c5c6a4882e770da52b1a8d498b39fdbf549bffa6b594566d7f26c99a5
SHA5121418bc4717718a6f2fbbf738cde04509b5a8dcefe430b9be0dde97551248551f136e5d7649d8ef415ce67507cbb2c4c7b3ac29824f6abb611a4f658f46a74451
-
Filesize
5KB
MD5b481fd4817e233972e39dd189f695aa6
SHA133c33dec6a53f11990002b97961c3e513e23a0c1
SHA256c955f7c98bf61071eee2393596ff2e9c3555ba31b353daf5fc438b24fae7ad46
SHA51277eb80bd3f63fd3997b934ff97d81124b778fbf1bc9cf45a664912b1289079c38adea8f7f03a98ecdb2dfc8ec3f347ddf90c8b91abdc6bdcae7a770cb0ec076c
-
Filesize
185KB
MD508367820ada06e975ed56b12d436485e
SHA144508235cd40156d2060bcd53b752e309d5332da
SHA256650167bccb0aab8157bac4ff9553af5b9d75561252c3350eb930fd274f74a935
SHA5120e022b1271ac873b332bf5864664e53e21d592c1c2c949247652d5311e42463a9b03193c3b6948a898bfb42b395ec898b865013322bff58033ff9a67d6a652c0