Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2025, 09:39
Static task
static1
Behavioral task
behavioral1
Sample
180a5056261a5909d36311f5e4e80b36c9a485fdb36fe08ad14723933fb9de82N.exe
Resource
win7-20240903-en
General
-
Target
180a5056261a5909d36311f5e4e80b36c9a485fdb36fe08ad14723933fb9de82N.exe
-
Size
828KB
-
MD5
4a6089ff0c9e02049cc5cb9fdbbfcbc0
-
SHA1
3dd0168e95acbc2b24b6fdcae1a7e8fad5c1a678
-
SHA256
180a5056261a5909d36311f5e4e80b36c9a485fdb36fe08ad14723933fb9de82
-
SHA512
2a47b744940127d270e86382b8931f91f5cda3b8c451c582f36d7a1126b47df448cd849d9c7048ae9358a3d104ca5d5b7297aa6cdb22a30636eeef3b6b88de97
-
SSDEEP
12288:YaWzgMV7v36oCi3ErQohh0F4wCJ8lnyrQELlmo/4jSO9fgCBjvrEH7jp:PaHVvQzrjInyrQELX/eB9fHrEH7jp
Malware Config
Signatures
-
Floxif family
-
Detects Floxif payload 1 IoCs
resource yara_rule behavioral2/files/0x0010000000023bd7-1.dat floxif -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0010000000023bd7-1.dat acprotect -
Loads dropped DLL 1 IoCs
pid Process 1788 180a5056261a5909d36311f5e4e80b36c9a485fdb36fe08ad14723933fb9de82N.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: 180a5056261a5909d36311f5e4e80b36c9a485fdb36fe08ad14723933fb9de82N.exe -
resource yara_rule behavioral2/files/0x0010000000023bd7-1.dat upx behavioral2/memory/1788-4-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/1788-97-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/1788-110-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/1788-123-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/1788-132-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/1788-134-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Common Files\System\symsrv.dll 180a5056261a5909d36311f5e4e80b36c9a485fdb36fe08ad14723933fb9de82N.exe File created \??\c:\program files\common files\system\symsrv.dll.000 180a5056261a5909d36311f5e4e80b36c9a485fdb36fe08ad14723933fb9de82N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 180a5056261a5909d36311f5e4e80b36c9a485fdb36fe08ad14723933fb9de82N.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1788 180a5056261a5909d36311f5e4e80b36c9a485fdb36fe08ad14723933fb9de82N.exe 1788 180a5056261a5909d36311f5e4e80b36c9a485fdb36fe08ad14723933fb9de82N.exe 1788 180a5056261a5909d36311f5e4e80b36c9a485fdb36fe08ad14723933fb9de82N.exe 1788 180a5056261a5909d36311f5e4e80b36c9a485fdb36fe08ad14723933fb9de82N.exe 1788 180a5056261a5909d36311f5e4e80b36c9a485fdb36fe08ad14723933fb9de82N.exe 1788 180a5056261a5909d36311f5e4e80b36c9a485fdb36fe08ad14723933fb9de82N.exe 1788 180a5056261a5909d36311f5e4e80b36c9a485fdb36fe08ad14723933fb9de82N.exe 1788 180a5056261a5909d36311f5e4e80b36c9a485fdb36fe08ad14723933fb9de82N.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1788 180a5056261a5909d36311f5e4e80b36c9a485fdb36fe08ad14723933fb9de82N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1788 180a5056261a5909d36311f5e4e80b36c9a485fdb36fe08ad14723933fb9de82N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\180a5056261a5909d36311f5e4e80b36c9a485fdb36fe08ad14723933fb9de82N.exe"C:\Users\Admin\AppData\Local\Temp\180a5056261a5909d36311f5e4e80b36c9a485fdb36fe08ad14723933fb9de82N.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab
-
Filesize
175B
MD51130c911bf5db4b8f7cf9b6f4b457623
SHA148e734c4bc1a8b5399bff4954e54b268bde9d54c
SHA256eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1
SHA51294e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0
-
C:\Users\Admin\AppData\Local\Temp\180a5056261a5909d36311f5e4e80b36c9a485fdb36fe08ad14723933fb9de82N.ini
Filesize2KB
MD52ae1ff58ba61aef6374e2198bf50c5b4
SHA17d35f47513cded1dffd4b56d44f4fbe125efa109
SHA2562796332399e48366c6d66c9fee6703a27f270f3cf4c5278d5d89dc97c4f02a2e
SHA51233f005c703b33b29927dab10a1393107dfa2f889710fd1c1a3bc8801aa9ceb6de31f2cb62f52c4f7933b29cd1e1ae8f6264e7c27946b0b71b66d67685dc8e199
-
Filesize
751KB
MD577ffa8c7af0df18f0285f11b490d726f
SHA1d2b13b47eeab95a98ba93fa2bd86419029f2c5b1
SHA2567d8f35945c17c54056d4aaca05c14bd45640a8c9d1d38f646ae06a8b9cb0c117
SHA512be4d58e08ee73ea021c5d70be533eb2323fe55d0c1e34b186040316ce108e40a5a7165dd469645a2e7779fbb75c82ea0f44710f9ae45e6ef7dae7267ce6a0daf
-
Filesize
24KB
MD5f571a0f2baa5fbe8fd82c5efe455100b
SHA1f8b1e1964d6708a8b508d947e5a68ac1d8cb6e22
SHA25625c2327760cb20441b8523033b5aae914d76efebddb78798b80bea5f6ee97f41
SHA5121c4dfec982ee0a1bcea4bc66e0da51e2481b4f8ade453409ef60276b9eac1fa45c789333670497102e67a4d4dabed9c60e472eacf7097be894bf8544718b4dc1