Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/01/2025, 18:54
Behavioral task
behavioral1
Sample
392d3d47db52a25f70bfdebf4bc48e27ae68171931841acd7c994faf7443a4d0N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
392d3d47db52a25f70bfdebf4bc48e27ae68171931841acd7c994faf7443a4d0N.exe
Resource
win10v2004-20241007-en
General
-
Target
392d3d47db52a25f70bfdebf4bc48e27ae68171931841acd7c994faf7443a4d0N.exe
-
Size
29KB
-
MD5
0e3c411ed321fda6f48c0d5dc527b820
-
SHA1
080f089467dca8c7b3b13c18733f744fb44e0206
-
SHA256
392d3d47db52a25f70bfdebf4bc48e27ae68171931841acd7c994faf7443a4d0
-
SHA512
0b68f41a18a90266a5950821897cd36a1ba90a16e7869cceaa6e4fd3abea07728d5ca27cb822ae967e3f09093bb4be45f96422d1da921bb8b96f621f615b37e8
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/r:AEwVs+0jNDY1qi/qz
Malware Config
Signatures
-
Detects MyDoom family 6 IoCs
resource yara_rule behavioral2/memory/4432-13-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/4432-39-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/4432-129-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/4432-133-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/4432-140-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom behavioral2/memory/4432-161-0x0000000000500000-0x0000000000510200-memory.dmp family_mydoom -
Mydoom family
-
Executes dropped EXE 1 IoCs
pid Process 4608 services.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 392d3d47db52a25f70bfdebf4bc48e27ae68171931841acd7c994faf7443a4d0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
resource yara_rule behavioral2/memory/4432-0-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/files/0x0008000000023c97-4.dat upx behavioral2/memory/4608-5-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4432-13-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4608-15-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4608-16-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4608-21-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4608-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4608-28-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4608-33-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4608-38-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4432-39-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4608-40-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/files/0x0002000000021d5e-48.dat upx behavioral2/memory/4432-129-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4608-130-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4432-133-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4608-134-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4608-136-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4432-140-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4608-141-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4432-161-0x0000000000500000-0x0000000000510200-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\java.exe 392d3d47db52a25f70bfdebf4bc48e27ae68171931841acd7c994faf7443a4d0N.exe File created C:\Windows\services.exe 392d3d47db52a25f70bfdebf4bc48e27ae68171931841acd7c994faf7443a4d0N.exe File opened for modification C:\Windows\java.exe 392d3d47db52a25f70bfdebf4bc48e27ae68171931841acd7c994faf7443a4d0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 392d3d47db52a25f70bfdebf4bc48e27ae68171931841acd7c994faf7443a4d0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4432 wrote to memory of 4608 4432 392d3d47db52a25f70bfdebf4bc48e27ae68171931841acd7c994faf7443a4d0N.exe 83 PID 4432 wrote to memory of 4608 4432 392d3d47db52a25f70bfdebf4bc48e27ae68171931841acd7c994faf7443a4d0N.exe 83 PID 4432 wrote to memory of 4608 4432 392d3d47db52a25f70bfdebf4bc48e27ae68171931841acd7c994faf7443a4d0N.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\392d3d47db52a25f70bfdebf4bc48e27ae68171931841acd7c994faf7443a4d0N.exe"C:\Users\Admin\AppData\Local\Temp\392d3d47db52a25f70bfdebf4bc48e27ae68171931841acd7c994faf7443a4d0N.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4608
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD52d4bfd6b00cd877d078eab8d4d2b5251
SHA1759ee778f46b3acbf113bb696d6fd5bcc0e70b23
SHA2569885127f7b96e205ff0f327a0fe428be95d4e8de2c6aeb306d5032a44925a8b3
SHA512dc3f2aa9101a1c14bc5ed056aeb23e20a22e72b79dd4006d43722d97f4f1c2d466476f10aedff880c63c15a2b931c3ef6c5573bf3d3fbb9fa13b4dad26048c1e
-
Filesize
320B
MD5e8c7b74c43cc024b3a79862bc080b209
SHA1697382f05c7feb41a89fa27718f40cc1bca92cc7
SHA25647f9c1f8e07aa633afb5387c2476382b7aeea9d08027ad011f36c7178a113f74
SHA512c783f7d34b171d616e84b5430b6c8334d376fa89239d000c7d8e60d43618eeee069d0c2719d7392592ff925b1fbf95622d76cd5f296c080755670a946b83450f
-
Filesize
320B
MD5b97350440533f78f112cd4ea6f311e94
SHA153e0538cd06ce9544e7b25c58bc81aa75780aa46
SHA256f7c7cedf61ef010757ea93d8a50f0e61c16165bb9d4a7804898b024fdb8506df
SHA512f43e866fb108b13818fe3c3f0ede5d5ab1ed27e1fae4aeb6210488c5c5c093ca4e41d467945611e161b8d9b0d8d1b46732fa53922872c3509c0706f49bfb8ce4
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2