Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
85s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
01/07/2023, 07:49
Static task
static1
Behavioral task
behavioral1
Sample
chuanameexe.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
chuanameexe.exe
Resource
win10v2004-20230621-en
General
-
Target
chuanameexe.exe
-
Size
157KB
-
MD5
5767ca40c29cb20842c8d3b12c93d582
-
SHA1
8fe5bcd90416a48b3f862ea52f726239d2d8efc3
-
SHA256
a14f448e7fbeed5aee2f0db602bca444bb821e731452e0e43f914b1cd902fec5
-
SHA512
9c6fd9ffb1b0ea6305c4ed893923aa2e21ccaa63797b36458dc63eabd84e01cbc6b3331d808b58c79ae74122ee841872ab1e12683f8065ba0f40042f7f8b6321
-
SSDEEP
3072:s2A2+ClsFxK7hfi5ji+8T26z02mNt4H96u:/AbZFx4h2uaew4Hn
Malware Config
Extracted
Protocol: ftp- Host:
38.54.95.217 - Port:
21 - Username:
123 - Password:
123
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation chuanameexe.exe -
Executes dropped EXE 2 IoCs
pid Process 4868 local.exe 4396 {7CBBA74D-F726-45b3-88A7-95870B05D57E}.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: local.exe File opened (read-only) \??\R: local.exe File opened (read-only) \??\N: local.exe File opened (read-only) \??\V: local.exe File opened (read-only) \??\W: local.exe File opened (read-only) \??\K: local.exe File opened (read-only) \??\M: local.exe File opened (read-only) \??\I: local.exe File opened (read-only) \??\O: local.exe File opened (read-only) \??\P: local.exe File opened (read-only) \??\Q: local.exe File opened (read-only) \??\U: local.exe File opened (read-only) \??\X: local.exe File opened (read-only) \??\G: local.exe File opened (read-only) \??\H: local.exe File opened (read-only) \??\Y: local.exe File opened (read-only) \??\Z: local.exe File opened (read-only) \??\L: local.exe File opened (read-only) \??\S: local.exe File opened (read-only) \??\T: local.exe File opened (read-only) \??\B: local.exe File opened (read-only) \??\J: local.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 local.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString local.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\Local Settings chuanameexe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\EditFlags = "1688197804" {7CBBA74D-F726-45b3-88A7-95870B05D57E}.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe 4868 local.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 468 chuanameexe.exe 4868 local.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 468 wrote to memory of 4868 468 chuanameexe.exe 89 PID 468 wrote to memory of 4868 468 chuanameexe.exe 89 PID 468 wrote to memory of 4868 468 chuanameexe.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\chuanameexe.exe"C:\Users\Admin\AppData\Local\Temp\chuanameexe.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:468 -
C:\ProgramData\babyiloveyou\local.exe"C:\ProgramData\babyiloveyou\local.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4868
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3976
-
C:\Users\Admin\AppData\Local\Temp\{7CBBA74D-F726-45b3-88A7-95870B05D57E}.exe"C:\Users\Admin\AppData\Local\Temp\{7CBBA74D-F726-45b3-88A7-95870B05D57E}.exe" /s "C:\Users\Admin\AppData\Local\Temp\\{0D611EE8-33DA-40d6-9610-3D0F5FA5F9A0}"1⤵
- Executes dropped EXE
- Modifies registry class
PID:4396
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
141KB
MD5fd296444464edd9d1ca67e62c1494fb8
SHA1b81b8a3e55754c7597d51f144b878de6987770b6
SHA25691209859d25234012d06df1fa27e4e1f842f5a897a565bab217774841d7b24a6
SHA51250f892cea7629f4953231925a38ae9fd768df2167a7070b2add79f4dbaf8d7e563ec2343abdf133c7e14bea4f2f9d3ed41690c40ae364934c070bc58bafc574f
-
Filesize
141KB
MD5fd296444464edd9d1ca67e62c1494fb8
SHA1b81b8a3e55754c7597d51f144b878de6987770b6
SHA25691209859d25234012d06df1fa27e4e1f842f5a897a565bab217774841d7b24a6
SHA51250f892cea7629f4953231925a38ae9fd768df2167a7070b2add79f4dbaf8d7e563ec2343abdf133c7e14bea4f2f9d3ed41690c40ae364934c070bc58bafc574f
-
Filesize
141KB
MD5fd296444464edd9d1ca67e62c1494fb8
SHA1b81b8a3e55754c7597d51f144b878de6987770b6
SHA25691209859d25234012d06df1fa27e4e1f842f5a897a565bab217774841d7b24a6
SHA51250f892cea7629f4953231925a38ae9fd768df2167a7070b2add79f4dbaf8d7e563ec2343abdf133c7e14bea4f2f9d3ed41690c40ae364934c070bc58bafc574f
-
Filesize
829B
MD5a3dd775111efd46e0abd9ef662e6d458
SHA107a2759e6d7237a279b5bcf8cb177b9fd6c673ba
SHA25631ef3bed15d38e2c5333e311c562e11f068b19d0539ce28af9f3411ee7ef15be
SHA512f953e0687fd5421b9cc42d49ebb6abff66a894422c7ac182b614d2066b58fdb79f0ac4c22fae78359f120ae3e537f47e081503ee6761e1660bf2bba1132d4c2c
-
Filesize
2KB
MD5ff0c7c2667dff4f3ed588f40d047c642
SHA11162c83bd0bb0d81b7ab7f616cb012b790aa4adf
SHA25602af5cb061fd8075e9475c45ab20e86cf2bb4ca9511ddad348645ed5183b9fc7
SHA512539b1d443232758b6c60a287f2a40200e6e3ba7353f11f18e29ba265c9569a4610e4a80910f79660368a916576ab9c486efa248bf3257e522ef5bfb3d42ef3c3
-
Filesize
215B
MD5b36872603898adf29dc000d66f9ee3ef
SHA1b791670740194ec215630203969a622f35c398ec
SHA256fcc78b7741d25bc7bafa41631bf23ab6fae4b008bc59beb341210c11a922c090
SHA512647b0e7eb517bd92c0aa866fc09db13b7499f4d4c54110285e254d996c5ce7e9633dc9ed9ddc00173a041771ec5f39dc0e555b6c2cd454443ab66df2a8d2fd35
-
Filesize
1.0MB
MD5217dc98e219a340cb09915244c992a52
SHA1a04f101ca7180955d62e4a1aaeccdcca489209da
SHA25627c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c
SHA512dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85
-
Filesize
1.0MB
MD5217dc98e219a340cb09915244c992a52
SHA1a04f101ca7180955d62e4a1aaeccdcca489209da
SHA25627c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c
SHA512dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85