Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2023, 14:03
Static task
static1
Behavioral task
behavioral1
Sample
9096068c8ad3b4f5327494e6c3d55c5caa3240507fe20939433b841862f44bd0.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
9096068c8ad3b4f5327494e6c3d55c5caa3240507fe20939433b841862f44bd0.exe
Resource
win10v2004-20230915-en
General
-
Target
9096068c8ad3b4f5327494e6c3d55c5caa3240507fe20939433b841862f44bd0.exe
-
Size
1.9MB
-
MD5
2af29bc7d67f65add890bede62d7ba50
-
SHA1
4158f8b6f8378767ed1a658ea0e2db11eafcd1fc
-
SHA256
9096068c8ad3b4f5327494e6c3d55c5caa3240507fe20939433b841862f44bd0
-
SHA512
a4a87fb974d01524d05a7c0c7e71908521ae57ed3103bfe60d9ad6cc83fb4fea45d870ca8284be5e0451eb5bc79845209fe4795fdafdeea19af8a15c582ef623
-
SSDEEP
49152:wWhr59BfJXAE+USYqWcQYlrUOx5l+tlJcrxEfXghaE30L6aTESjog:wWhrPBfKE7zYYOxcLcCfQQEE3TESJ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation 9096068c8ad3b4f5327494e6c3d55c5caa3240507fe20939433b841862f44bd0.exe -
Loads dropped DLL 2 IoCs
pid Process 2308 rundll32.exe 828 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000_Classes\Local Settings 9096068c8ad3b4f5327494e6c3d55c5caa3240507fe20939433b841862f44bd0.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4892 wrote to memory of 1612 4892 9096068c8ad3b4f5327494e6c3d55c5caa3240507fe20939433b841862f44bd0.exe 83 PID 4892 wrote to memory of 1612 4892 9096068c8ad3b4f5327494e6c3d55c5caa3240507fe20939433b841862f44bd0.exe 83 PID 4892 wrote to memory of 1612 4892 9096068c8ad3b4f5327494e6c3d55c5caa3240507fe20939433b841862f44bd0.exe 83 PID 1612 wrote to memory of 2308 1612 control.exe 86 PID 1612 wrote to memory of 2308 1612 control.exe 86 PID 1612 wrote to memory of 2308 1612 control.exe 86 PID 2308 wrote to memory of 3224 2308 rundll32.exe 89 PID 2308 wrote to memory of 3224 2308 rundll32.exe 89 PID 3224 wrote to memory of 828 3224 RunDll32.exe 90 PID 3224 wrote to memory of 828 3224 RunDll32.exe 90 PID 3224 wrote to memory of 828 3224 RunDll32.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\9096068c8ad3b4f5327494e6c3d55c5caa3240507fe20939433b841862f44bd0.exe"C:\Users\Admin\AppData\Local\Temp\9096068c8ad3b4f5327494e6c3d55c5caa3240507fe20939433b841862f44bd0.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\VHsVS~c9.cpL",2⤵
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\VHsVS~c9.cpL",3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\VHsVS~c9.cpL",4⤵
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\VHsVS~c9.cpL",5⤵
- Loads dropped DLL
PID:828
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5f2db5d943fd3c00201c223cd3800c75f
SHA1bf13930ce7a84f9fa02463f354eeed68dd8e96d3
SHA25602c6b69497516f64fbe1c7975238a857904c4db1f9cfd852cb81845bf86a78f3
SHA512ea49547497011856041ad91c8c0a10e8abb6bb188d7046c24f6e5d53e2393ee3250c1167f2e7d7e6ae82c7d3d2dae76b16e699998d2c6a2ad73f04b4b06c8613
-
Filesize
1.4MB
MD5f2db5d943fd3c00201c223cd3800c75f
SHA1bf13930ce7a84f9fa02463f354eeed68dd8e96d3
SHA25602c6b69497516f64fbe1c7975238a857904c4db1f9cfd852cb81845bf86a78f3
SHA512ea49547497011856041ad91c8c0a10e8abb6bb188d7046c24f6e5d53e2393ee3250c1167f2e7d7e6ae82c7d3d2dae76b16e699998d2c6a2ad73f04b4b06c8613
-
Filesize
1.4MB
MD5f2db5d943fd3c00201c223cd3800c75f
SHA1bf13930ce7a84f9fa02463f354eeed68dd8e96d3
SHA25602c6b69497516f64fbe1c7975238a857904c4db1f9cfd852cb81845bf86a78f3
SHA512ea49547497011856041ad91c8c0a10e8abb6bb188d7046c24f6e5d53e2393ee3250c1167f2e7d7e6ae82c7d3d2dae76b16e699998d2c6a2ad73f04b4b06c8613
-
Filesize
1.4MB
MD5f2db5d943fd3c00201c223cd3800c75f
SHA1bf13930ce7a84f9fa02463f354eeed68dd8e96d3
SHA25602c6b69497516f64fbe1c7975238a857904c4db1f9cfd852cb81845bf86a78f3
SHA512ea49547497011856041ad91c8c0a10e8abb6bb188d7046c24f6e5d53e2393ee3250c1167f2e7d7e6ae82c7d3d2dae76b16e699998d2c6a2ad73f04b4b06c8613