Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    94s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/12/2024, 13:35

General

  • Target

    jeetss456352.exe

  • Size

    214KB

  • MD5

    dafccfe6911e74fd47cf1461e3580ed1

  • SHA1

    b84783ab8d2c044c9a4cf2765831fd776f220c64

  • SHA256

    8d203db46294994fba62e63ddaf99b53c5b8abf2e407f7ee516f5df1d44cc1af

  • SHA512

    4093bbdb3f57b7dff3d6f5e699698c303c9a79cb74bba23778241ea3b8bd12e380ab034065a3f1ff306638346fce69dc8dbc4461983b3cc6c6a95e8a2386c4ab

  • SSDEEP

    3072:qUJoFfWzzl+cSM9BPmuGky8vtGAxeVbzb0kA5nyq956rosqcqXMZdQLfl7Z2JwQo:qweEp9Nmj84AuTqNvGr3qbXrLX2CO4T

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\jeetss456352.exe
    "C:\Users\Admin\AppData\Local\Temp\jeetss456352.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1876
    • C:\Users\Admin\AppData\Local\Temp\isktuabvmv.exe
      "C:\Users\Admin\AppData\Local\Temp\isktuabvmv.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3720
      • C:\Users\Admin\AppData\Local\Temp\isktuabvmv.exe
        "C:\Users\Admin\AppData\Local\Temp\isktuabvmv.exe"
        3⤵
          PID:4924
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 644
          3⤵
          • Program crash
          PID:4160
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3720 -ip 3720
      1⤵
        PID:1156

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\isktuabvmv.exe

        Filesize

        6KB

        MD5

        4debf3d4be3833c81372eab33bcc8f99

        SHA1

        3c01f72309070804bda00f0545ba92dc32635d36

        SHA256

        a5a20c3c5c6a4882e770da52b1a8d498b39fdbf549bffa6b594566d7f26c99a5

        SHA512

        1418bc4717718a6f2fbbf738cde04509b5a8dcefe430b9be0dde97551248551f136e5d7649d8ef415ce67507cbb2c4c7b3ac29824f6abb611a4f658f46a74451

      • C:\Users\Admin\AppData\Local\Temp\lrwrtr.wl

        Filesize

        5KB

        MD5

        b481fd4817e233972e39dd189f695aa6

        SHA1

        33c33dec6a53f11990002b97961c3e513e23a0c1

        SHA256

        c955f7c98bf61071eee2393596ff2e9c3555ba31b353daf5fc438b24fae7ad46

        SHA512

        77eb80bd3f63fd3997b934ff97d81124b778fbf1bc9cf45a664912b1289079c38adea8f7f03a98ecdb2dfc8ec3f347ddf90c8b91abdc6bdcae7a770cb0ec076c

      • C:\Users\Admin\AppData\Local\Temp\ovyicohnryx.es

        Filesize

        185KB

        MD5

        08367820ada06e975ed56b12d436485e

        SHA1

        44508235cd40156d2060bcd53b752e309d5332da

        SHA256

        650167bccb0aab8157bac4ff9553af5b9d75561252c3350eb930fd274f74a935

        SHA512

        0e022b1271ac873b332bf5864664e53e21d592c1c2c949247652d5311e42463a9b03193c3b6948a898bfb42b395ec898b865013322bff58033ff9a67d6a652c0

      • memory/3720-8-0x00000000006D0000-0x00000000006D2000-memory.dmp

        Filesize

        8KB