Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 08:00
Behavioral task
behavioral1
Sample
78479f94f0e31b0c332314cf0c398dcffe9c2db6a1972b079957ac6a8be1810e.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
78479f94f0e31b0c332314cf0c398dcffe9c2db6a1972b079957ac6a8be1810e.exe
Resource
win10v2004-20241007-en
General
-
Target
78479f94f0e31b0c332314cf0c398dcffe9c2db6a1972b079957ac6a8be1810e.exe
-
Size
441KB
-
MD5
5c08ca135ff9d8316dd10845db00f635
-
SHA1
a24c9ccc818e192356169c409c265645e6f39824
-
SHA256
78479f94f0e31b0c332314cf0c398dcffe9c2db6a1972b079957ac6a8be1810e
-
SHA512
a38b1c2db66416d96e966960ef394da048065f981d1386851581e43c579ebddc623bbfb4dac8a2079ddf1190ab3548e57a7b5abef6d0ca186aae438e84b0f9db
-
SSDEEP
6144:QZlBLpEu7eOhAF2QXcnzVRPYfmB8LVqv7IVuUmj+ZF6/BCrO6Kwc:QlpEu7eOhA7XcnzjYf+8LV2IVgj+Ep
Malware Config
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Executes dropped EXE 8 IoCs
pid Process 3468 wplayer.exe 1368 wplayer.exe 2916 wplayer.exe 4068 wplayer.exe 916 wplayer.exe 2572 wplayer.exe 4996 wplayer.exe 2376 wplayer.exe -
Drops file in System32 directory 18 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\wplayer.exe wplayer.exe File created C:\Windows\SysWOW64\wplayer.exe wplayer.exe File created C:\Windows\SysWOW64\wplayer.exe wplayer.exe File opened for modification C:\Windows\SysWOW64\wplayer.exe wplayer.exe File created C:\Windows\SysWOW64\wplayer.exe wplayer.exe File created C:\Windows\SysWOW64\wplayer.exe wplayer.exe File opened for modification C:\Windows\SysWOW64\wplayer.exe wplayer.exe File created C:\Windows\SysWOW64\wplayer.exe wplayer.exe File opened for modification C:\Windows\SysWOW64\wplayer.exe wplayer.exe File opened for modification C:\Windows\SysWOW64\wplayer.exe 78479f94f0e31b0c332314cf0c398dcffe9c2db6a1972b079957ac6a8be1810e.exe File opened for modification C:\Windows\SysWOW64\wplayer.exe wplayer.exe File opened for modification C:\Windows\SysWOW64\wplayer.exe wplayer.exe File created C:\Windows\SysWOW64\wplayer.exe wplayer.exe File opened for modification C:\Windows\SysWOW64\wplayer.exe wplayer.exe File created C:\Windows\SysWOW64\wplayer.exe wplayer.exe File created C:\Windows\SysWOW64\wplayer.exe 78479f94f0e31b0c332314cf0c398dcffe9c2db6a1972b079957ac6a8be1810e.exe File opened for modification C:\Windows\SysWOW64\wplayer.exe wplayer.exe File created C:\Windows\SysWOW64\wplayer.exe wplayer.exe -
resource yara_rule behavioral2/memory/3680-0-0x0000000000400000-0x00000000004AE000-memory.dmp upx behavioral2/files/0x000c000000023b12-5.dat upx behavioral2/memory/3680-7-0x0000000000400000-0x00000000004AE000-memory.dmp upx behavioral2/memory/3468-8-0x0000000000400000-0x00000000004AE000-memory.dmp upx behavioral2/memory/1368-10-0x0000000000400000-0x00000000004AE000-memory.dmp upx behavioral2/memory/2916-12-0x0000000000400000-0x00000000004AE000-memory.dmp upx behavioral2/memory/4068-14-0x0000000000400000-0x00000000004AE000-memory.dmp upx behavioral2/memory/916-16-0x0000000000400000-0x00000000004AE000-memory.dmp upx behavioral2/memory/2572-18-0x0000000000400000-0x00000000004AE000-memory.dmp upx behavioral2/memory/4996-20-0x0000000000400000-0x00000000004AE000-memory.dmp upx behavioral2/memory/2376-22-0x0000000000400000-0x00000000004AE000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wplayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wplayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wplayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 78479f94f0e31b0c332314cf0c398dcffe9c2db6a1972b079957ac6a8be1810e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wplayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wplayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wplayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wplayer.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3680 wrote to memory of 3468 3680 78479f94f0e31b0c332314cf0c398dcffe9c2db6a1972b079957ac6a8be1810e.exe 82 PID 3680 wrote to memory of 3468 3680 78479f94f0e31b0c332314cf0c398dcffe9c2db6a1972b079957ac6a8be1810e.exe 82 PID 3680 wrote to memory of 3468 3680 78479f94f0e31b0c332314cf0c398dcffe9c2db6a1972b079957ac6a8be1810e.exe 82 PID 3468 wrote to memory of 1368 3468 wplayer.exe 88 PID 3468 wrote to memory of 1368 3468 wplayer.exe 88 PID 3468 wrote to memory of 1368 3468 wplayer.exe 88 PID 1368 wrote to memory of 2916 1368 wplayer.exe 92 PID 1368 wrote to memory of 2916 1368 wplayer.exe 92 PID 1368 wrote to memory of 2916 1368 wplayer.exe 92 PID 2916 wrote to memory of 4068 2916 wplayer.exe 94 PID 2916 wrote to memory of 4068 2916 wplayer.exe 94 PID 2916 wrote to memory of 4068 2916 wplayer.exe 94 PID 4068 wrote to memory of 916 4068 wplayer.exe 95 PID 4068 wrote to memory of 916 4068 wplayer.exe 95 PID 4068 wrote to memory of 916 4068 wplayer.exe 95 PID 916 wrote to memory of 2572 916 wplayer.exe 96 PID 916 wrote to memory of 2572 916 wplayer.exe 96 PID 916 wrote to memory of 2572 916 wplayer.exe 96 PID 2572 wrote to memory of 4996 2572 wplayer.exe 97 PID 2572 wrote to memory of 4996 2572 wplayer.exe 97 PID 2572 wrote to memory of 4996 2572 wplayer.exe 97 PID 4996 wrote to memory of 2376 4996 wplayer.exe 98 PID 4996 wrote to memory of 2376 4996 wplayer.exe 98 PID 4996 wrote to memory of 2376 4996 wplayer.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\78479f94f0e31b0c332314cf0c398dcffe9c2db6a1972b079957ac6a8be1810e.exe"C:\Users\Admin\AppData\Local\Temp\78479f94f0e31b0c332314cf0c398dcffe9c2db6a1972b079957ac6a8be1810e.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\wplayer.exeC:\Windows\system32\wplayer.exe 1016 "C:\Users\Admin\AppData\Local\Temp\78479f94f0e31b0c332314cf0c398dcffe9c2db6a1972b079957ac6a8be1810e.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\wplayer.exeC:\Windows\system32\wplayer.exe 1144 "C:\Windows\SysWOW64\wplayer.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\wplayer.exeC:\Windows\system32\wplayer.exe 1116 "C:\Windows\SysWOW64\wplayer.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\wplayer.exeC:\Windows\system32\wplayer.exe 1112 "C:\Windows\SysWOW64\wplayer.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\wplayer.exeC:\Windows\system32\wplayer.exe 1120 "C:\Windows\SysWOW64\wplayer.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\wplayer.exeC:\Windows\system32\wplayer.exe 1124 "C:\Windows\SysWOW64\wplayer.exe"7⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\wplayer.exeC:\Windows\system32\wplayer.exe 1056 "C:\Windows\SysWOW64\wplayer.exe"8⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\wplayer.exeC:\Windows\system32\wplayer.exe 1132 "C:\Windows\SysWOW64\wplayer.exe"9⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2376
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
441KB
MD55c08ca135ff9d8316dd10845db00f635
SHA1a24c9ccc818e192356169c409c265645e6f39824
SHA25678479f94f0e31b0c332314cf0c398dcffe9c2db6a1972b079957ac6a8be1810e
SHA512a38b1c2db66416d96e966960ef394da048065f981d1386851581e43c579ebddc623bbfb4dac8a2079ddf1190ab3548e57a7b5abef6d0ca186aae438e84b0f9db