Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/10/2023, 14:54

General

  • Target

    c4d36accd6fa7307e7aaa17633e44df901bc75446bf83de6ba06ab03722b1611.exe

  • Size

    199KB

  • MD5

    22ae69154d99c2e8c5b9ace329f74b5b

  • SHA1

    fd364b5a139d15ad0328f6adc3e0b2954220c478

  • SHA256

    c4d36accd6fa7307e7aaa17633e44df901bc75446bf83de6ba06ab03722b1611

  • SHA512

    291507c6b65513ce91800da6f576904ae5af94f23516da131d1bd692e7dc008d3a700be4ca14cc42be514e144efa55b1c12efc350108969a01575a46af3f140c

  • SSDEEP

    6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOF:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXX8

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c4d36accd6fa7307e7aaa17633e44df901bc75446bf83de6ba06ab03722b1611.exe
    "C:\Users\Admin\AppData\Local\Temp\c4d36accd6fa7307e7aaa17633e44df901bc75446bf83de6ba06ab03722b1611.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:692
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\C4D36A~1.EXE > nul
      2⤵
        PID:4540
    • C:\Windows\Debug\wmahost.exe
      C:\Windows\Debug\wmahost.exe
      1⤵
      • Executes dropped EXE
      • Checks processor information in registry
      PID:4992

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Debug\wmahost.exe

      Filesize

      199KB

      MD5

      89dda53bbbe9103247cde98708bbe87a

      SHA1

      2873f4a23d18934644770110f0e5992363398102

      SHA256

      0c41730de870da889a989adc3807dfb0059492ddba87d1c57ce32fba6bb2451a

      SHA512

      999714b8abb54465809fff0266080cf751ec8805b8d4c8d6471e6de86c75fe59269da40caab48c2e4936f291423e233876631d0b67b876a62fa941371d32cfa2

    • C:\Windows\debug\wmahost.exe

      Filesize

      199KB

      MD5

      89dda53bbbe9103247cde98708bbe87a

      SHA1

      2873f4a23d18934644770110f0e5992363398102

      SHA256

      0c41730de870da889a989adc3807dfb0059492ddba87d1c57ce32fba6bb2451a

      SHA512

      999714b8abb54465809fff0266080cf751ec8805b8d4c8d6471e6de86c75fe59269da40caab48c2e4936f291423e233876631d0b67b876a62fa941371d32cfa2