Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
48s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
05/07/2023, 06:16
Static task
static1
Behavioral task
behavioral1
Sample
c7e68f6c127994363927fda99e96c53e.exe
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
c7e68f6c127994363927fda99e96c53e.exe
Resource
win10v2004-20230703-en
General
-
Target
c7e68f6c127994363927fda99e96c53e.exe
-
Size
2.5MB
-
MD5
c7e68f6c127994363927fda99e96c53e
-
SHA1
9f88fa05eead627838d9b114fcb27121f0148bf6
-
SHA256
ff49f132c704dd427042dcd0a58c5522be6e165c40efdeb17c042217f3b0fe9c
-
SHA512
b02732aba26620700680c457cb95eff326f150826c51daea82f0f517121a29fdc19679f600ccedaf07d1b6928303ca759bc6533a2ed9d287e5330e5c6bb2a366
-
SSDEEP
24576:B47stUFlg46o/LJiFBIbGAq4OCgwYM/wARmPj5tS7vp1LX7J4Cx4G2FYkr:B4wtUFlg4/2i4pFYk
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation c7e68f6c127994363927fda99e96c53e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iokkotxpfm = "C:\\Users\\Admin\\AppData\\Roaming\\Iokkotxpfm.exe" c7e68f6c127994363927fda99e96c53e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 664 2636 WerFault.exe 79 -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 368 ipconfig.exe 4868 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2636 c7e68f6c127994363927fda99e96c53e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2636 wrote to memory of 3880 2636 c7e68f6c127994363927fda99e96c53e.exe 80 PID 2636 wrote to memory of 3880 2636 c7e68f6c127994363927fda99e96c53e.exe 80 PID 2636 wrote to memory of 3880 2636 c7e68f6c127994363927fda99e96c53e.exe 80 PID 3880 wrote to memory of 368 3880 cmd.exe 82 PID 3880 wrote to memory of 368 3880 cmd.exe 82 PID 3880 wrote to memory of 368 3880 cmd.exe 82 PID 2636 wrote to memory of 5056 2636 c7e68f6c127994363927fda99e96c53e.exe 83 PID 2636 wrote to memory of 5056 2636 c7e68f6c127994363927fda99e96c53e.exe 83 PID 2636 wrote to memory of 5056 2636 c7e68f6c127994363927fda99e96c53e.exe 83 PID 5056 wrote to memory of 4868 5056 cmd.exe 85 PID 5056 wrote to memory of 4868 5056 cmd.exe 85 PID 5056 wrote to memory of 4868 5056 cmd.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7e68f6c127994363927fda99e96c53e.exe"C:\Users\Admin\AppData\Local\Temp\c7e68f6c127994363927fda99e96c53e.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release2⤵
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /release3⤵
- Gathers network information
PID:368
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew2⤵
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew3⤵
- Gathers network information
PID:4868
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 10962⤵
- Program crash
PID:664
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2636 -ip 26361⤵PID:3464