Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2023, 02:44
Static task
static1
Behavioral task
behavioral1
Sample
cc46dcaf1c9f9be0e98058eb356f0a6f5a776d86770f313ad6a07d2a807f0020.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
cc46dcaf1c9f9be0e98058eb356f0a6f5a776d86770f313ad6a07d2a807f0020.exe
Resource
win10v2004-20230915-en
General
-
Target
cc46dcaf1c9f9be0e98058eb356f0a6f5a776d86770f313ad6a07d2a807f0020.exe
-
Size
2.9MB
-
MD5
151218fec66bb600cd332836c08a1936
-
SHA1
ac8bfffedbbbef42960c0d9f23b86d9c37424f05
-
SHA256
cc46dcaf1c9f9be0e98058eb356f0a6f5a776d86770f313ad6a07d2a807f0020
-
SHA512
4ad27c3648d195ff5226ee1a16131cfabb177b27d9ab74660dc7415ff98f0cd489abf0de53bb132cf7f556563bbb64879db8e6747d3d4e90bb75a317d462d393
-
SSDEEP
49152:HdgokOEY+BOhUI32mKJH1o5MTepxfMoaWeX9RialiTWKI6dbTNvpm2quVAzHKlnN:HUHY+FrO/CWetRx6Plzm2LVAzqqa
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation cc46dcaf1c9f9be0e98058eb356f0a6f5a776d86770f313ad6a07d2a807f0020.exe -
Loads dropped DLL 1 IoCs
pid Process 568 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4280 wrote to memory of 568 4280 cc46dcaf1c9f9be0e98058eb356f0a6f5a776d86770f313ad6a07d2a807f0020.exe 82 PID 4280 wrote to memory of 568 4280 cc46dcaf1c9f9be0e98058eb356f0a6f5a776d86770f313ad6a07d2a807f0020.exe 82 PID 4280 wrote to memory of 568 4280 cc46dcaf1c9f9be0e98058eb356f0a6f5a776d86770f313ad6a07d2a807f0020.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc46dcaf1c9f9be0e98058eb356f0a6f5a776d86770f313ad6a07d2a807f0020.exe"C:\Users\Admin\AppData\Local\Temp\cc46dcaf1c9f9be0e98058eb356f0a6f5a776d86770f313ad6a07d2a807f0020.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /U /S XDGDyE.yFL2⤵
- Loads dropped DLL
PID:568
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD54547ee14a13ad4926ab2606a91b39716
SHA14afdbabe974d85aa41cc58f1429c5570b6d4436a
SHA256cc2185c0db062e46db27d56c7a2f5962e7cd4e57f27b6e302c962869a316ab9e
SHA512951a4f29a477b3e5cb1e2617e1b4ef20e9343b686439fc224fc9da31c1f70de669c304ada36401da991581891e8edb11cc7790200e4bf435336668a348f624c6
-
Filesize
2.7MB
MD54547ee14a13ad4926ab2606a91b39716
SHA14afdbabe974d85aa41cc58f1429c5570b6d4436a
SHA256cc2185c0db062e46db27d56c7a2f5962e7cd4e57f27b6e302c962869a316ab9e
SHA512951a4f29a477b3e5cb1e2617e1b4ef20e9343b686439fc224fc9da31c1f70de669c304ada36401da991581891e8edb11cc7790200e4bf435336668a348f624c6