Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 11:36
Static task
static1
Behavioral task
behavioral1
Sample
f_000005.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
f_000005.exe
Resource
win10v2004-20230915-en
General
-
Target
f_000005.exe
-
Size
28.1MB
-
MD5
5a1dc98a569ba313aa7648c50de03080
-
SHA1
92703f921a7cebad394913ea0bd081328562eac9
-
SHA256
5c652dcddfbaafe80432ebfff155403ecb6879349df1aab9dccd402f2cb5d152
-
SHA512
972ab49cd6349cb2741dcef01407ee1830c00048c01fd5b17974d6cdb1a744588e11e7ea84c2c02663d8d178dd532a0540e4d2ebfaa1b9505eef9fa46595d8e3
-
SSDEEP
786432:YLYLjRKbobSHHafY4WI12MvVQkUd293gPLJIz2F9C:QYLjbOeWWvRxclE9
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation f_000005.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\SOURCE\st\win10-steps-to-complete.txt f_000005.exe File opened for modification C:\Program Files (x86)\SOURCE\st\disablesmartscreenfilter.reg f_000005.exe File created C:\Program Files (x86)\SOURCE\st\procexp.exe f_000005.exe File created C:\Program Files (x86)\SOURCE\st\PsExec.exe f_000005.exe File created C:\Program Files (x86)\SOURCE\st\PsGetsid64.exe f_000005.exe File opened for modification C:\Program Files (x86)\SOURCE\st\pskill64.exe f_000005.exe File opened for modification C:\Program Files (x86)\SOURCE\st\set time Win2K8.bat f_000005.exe File opened for modification C:\Program Files (x86)\SOURCE\st\cleanExplorerRunMRU.reg f_000005.exe File created C:\Program Files (x86)\SOURCE\st\delete temp for all profiles.bat f_000005.exe File created C:\Program Files (x86)\SOURCE\st\ipreset.bat f_000005.exe File opened for modification C:\Program Files (x86)\SOURCE\st\ithelp.bat f_000005.exe File opened for modification C:\Program Files (x86)\SOURCE\st\manage SSIDs.bat f_000005.exe File opened for modification C:\Program Files (x86)\SOURCE\st\procexp64.exe f_000005.exe File opened for modification C:\Program Files (x86)\SOURCE\st\win10HideIcon-documents.reg f_000005.exe File created C:\Program Files (x86)\SOURCE\st\win10-steps-to-complete.txt f_000005.exe File created C:\Program Files (x86)\SOURCE\st\win11-explorer-command-bar-disable.bat f_000005.exe File opened for modification C:\Program Files (x86)\SOURCE\st\win11-new-context-menu-disable.bat f_000005.exe File created C:\Program Files (x86)\SOURCE\st\Bginfo64.exe f_000005.exe File created C:\Program Files (x86)\SOURCE\st\disableautocomplete.reg f_000005.exe File created C:\Program Files (x86)\SOURCE\st\disableIEToEdgeBHO.reg f_000005.exe File opened for modification C:\Program Files (x86)\SOURCE\st\pspasswd.exe f_000005.exe File opened for modification C:\Program Files (x86)\SOURCE\st\uptime.exe f_000005.exe File opened for modification C:\Program Files (x86)\SOURCE\st\Procmon.exe f_000005.exe File opened for modification C:\Program Files (x86)\SOURCE\st\pslist.exe f_000005.exe File created C:\Program Files (x86)\SOURCE\st\putty64.exe f_000005.exe File opened for modification C:\Program Files (x86)\SOURCE\st\tcpview64.exe f_000005.exe File opened for modification C:\Program Files (x86)\SOURCE\st\ipreset.bat f_000005.exe File created C:\Program Files (x86)\SOURCE\st\nircmd.exe f_000005.exe File created C:\Program Files (x86)\SOURCE\st\win10HideIcon-documents.reg f_000005.exe File created C:\Program Files (x86)\SOURCE\st\Autologon.exe f_000005.exe File opened for modification C:\Program Files (x86)\SOURCE\st\disableipv6.reg f_000005.exe File opened for modification C:\Program Files (x86)\SOURCE\st\du.exe f_000005.exe File opened for modification C:\Program Files (x86)\SOURCE\st\ns.bat f_000005.exe File created C:\Program Files (x86)\SOURCE\st\Procmon.exe f_000005.exe File created C:\Program Files (x86)\SOURCE\st\sdelete64.exe f_000005.exe File opened for modification C:\Program Files (x86)\SOURCE\st\tftpd64.exe f_000005.exe File opened for modification C:\Program Files (x86)\SOURCE\st\nircmd.exe f_000005.exe File opened for modification C:\Program Files (x86)\SOURCE\st\psping64.exe f_000005.exe File created C:\Program Files (x86)\SOURCE\st\PsService.exe f_000005.exe File created C:\Program Files (x86)\SOURCE\st\RAMMap.exe f_000005.exe File opened for modification C:\Program Files (x86)\SOURCE\st f_000005.exe File created C:\Program Files (x86)\SOURCE\st\portmon.exe f_000005.exe File opened for modification C:\Program Files (x86)\SOURCE\st\PsService.exe f_000005.exe File created C:\Program Files (x86)\SOURCE\st\Transwiz.exe f_000005.exe File created C:\Program Files (x86)\SOURCE\st\autorunsc64.exe f_000005.exe File opened for modification C:\Program Files (x86)\SOURCE\st\Enable-PhotoViewerWin10.reg f_000005.exe File opened for modification C:\Program Files (x86)\SOURCE\st\ipfix.bat f_000005.exe File opened for modification C:\Program Files (x86)\SOURCE\st\psshutdown.exe f_000005.exe File created C:\Program Files (x86)\SOURCE\st\set-metered.bat f_000005.exe File created C:\Program Files (x86)\SOURCE\st\unblock all files.bat f_000005.exe File created C:\Program Files (x86)\SOURCE\st\disabledefender.reg f_000005.exe File created C:\Program Files (x86)\SOURCE\st\disableipv6.reg f_000005.exe File opened for modification C:\Program Files (x86)\SOURCE\st\pspasswd64.exe f_000005.exe File created C:\Program Files (x86)\SOURCE\st\putty.exe f_000005.exe File opened for modification C:\Program Files (x86)\SOURCE\st\putty64.exe f_000005.exe File opened for modification C:\Program Files (x86)\SOURCE\st\RAMMap.exe f_000005.exe File opened for modification C:\Program Files (x86)\SOURCE\st\cleanExplorerTypedPaths.reg f_000005.exe File created C:\Program Files (x86)\SOURCE\st\delete webcache.bat f_000005.exe File opened for modification C:\Program Files (x86)\SOURCE\st\PsExec64.exe f_000005.exe File created C:\Program Files (x86)\SOURCE\st\set time Win2K8.bat f_000005.exe File opened for modification C:\Program Files (x86)\SOURCE\st\Autoruns.exe f_000005.exe File created C:\Program Files (x86)\SOURCE\st\cleanMstsc.reg f_000005.exe File created C:\Program Files (x86)\SOURCE\st\Coreinfo64.exe f_000005.exe File created C:\Program Files (x86)\SOURCE\st\du64.exe f_000005.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2244 wrote to memory of 3464 2244 f_000005.exe 89 PID 2244 wrote to memory of 3464 2244 f_000005.exe 89 PID 2244 wrote to memory of 3464 2244 f_000005.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\f_000005.exe"C:\Users\Admin\AppData\Local\Temp\f_000005.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\SOURCE\st\stoolsinstall.bat" "2⤵PID:3464
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD56cd1aaf52fa1a74039f5dcadef7025dc
SHA1b7a317099b73cd90d9d38734b419d17f85ad6998
SHA2564e342c8680c505c19772c16a25d469dc5be809cd401591bce15f02b6af98af40
SHA5124349e15279ff87c7dbdca78ffaba81b9c256c09789d364cdec4dbb438fe76dccae69b4850851197a15faea321f11a192c11856eadba7449b995d8af10dcd1eca