Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
03/05/2023, 01:30
Static task
static1
Behavioral task
behavioral1
Sample
a38740f27d72f631a071f9b8d4707b4c.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
a38740f27d72f631a071f9b8d4707b4c.exe
Resource
win10v2004-20230220-en
General
-
Target
a38740f27d72f631a071f9b8d4707b4c.exe
-
Size
238KB
-
MD5
a38740f27d72f631a071f9b8d4707b4c
-
SHA1
3dae530f1fa4329bdb10d79ae20fa56e77b19ae5
-
SHA256
967c720bf123abc4385306cd0ce6c25fa515b2c107c2ae6f670e4d863912a660
-
SHA512
da87468cebb4f835c6b5ca84bdef1852ec242e269173f344c85bab821e974dda16f7ce1d07c72c94916b8a59fade6e053a8bea3381e7702789ce5870c312e735
-
SSDEEP
6144:yKvu7/cjSdN2K5YU13i3o4Ms2eXAOt3va:yQEgSdNjeXby
Malware Config
Extracted
laplas
http://65.109.140.234
-
api_key
df447cf68e10f5a0e77c16bf0c96d9b97c6c34c9cb2157c2676b9d321b5633cc
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation a38740f27d72f631a071f9b8d4707b4c.exe -
Executes dropped EXE 1 IoCs
pid Process 232 svcservice.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe" a38740f27d72f631a071f9b8d4707b4c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3260 wrote to memory of 232 3260 a38740f27d72f631a071f9b8d4707b4c.exe 84 PID 3260 wrote to memory of 232 3260 a38740f27d72f631a071f9b8d4707b4c.exe 84 PID 3260 wrote to memory of 232 3260 a38740f27d72f631a071f9b8d4707b4c.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\a38740f27d72f631a071f9b8d4707b4c.exe"C:\Users\Admin\AppData\Local\Temp\a38740f27d72f631a071f9b8d4707b4c.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"2⤵
- Executes dropped EXE
PID:232
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
777.2MB
MD5e6497a99b32af3324b3e4883a29e9b67
SHA1e502e05c2aade220b3070a82ad6fc681f67fff04
SHA2562d75727e885b9ddd6ab0c7665d6a842616a4fd26e2ff25192ea8eca11eaec5f6
SHA5123e00375119683c30cde504168b317dbf83559ce50f0ca5e3e31d86b824e35f147e734bf80c498274c479882cd0f02940eda83749b220c72b14f08664a56f1c8a
-
Filesize
620.0MB
MD5e1666159121c35a10d3b01ab420027a8
SHA12ae219f4583f3c940a5ce46ec92aa7f473a05d2e
SHA2566153da2d2a0c15b30d660dc6ec3bceac5d27db07023860c7fc70c201b3aa44f6
SHA51215f33a4c7cbca07dc2227d30721d7908f87b1db128ce8c6f85127065507cc168a32f17b0b5b7a1ef01a2f598cb4c12a02ef1066dd42b61adc565b9a837b18462
-
Filesize
747.2MB
MD5aaf1f43b28e94c8bf70bf9ca074e0bd6
SHA16470ffcea0ba58d1e922875b98e747e685687855
SHA256bf8a41365084d1d7f77ae89d39f258b3cdd9174bf0048ad52ed264dd6475f24b
SHA512d3a6da9d22ab2ad1508aec10279e30b8a9fe737c257132e75962bdd8fb49d093dc9e55b4b0562e7b4eb22eb67d63b446276f4a2aa343b0d767493cfdadb84da1