Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    110s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/12/2023, 11:18

General

  • Target

    1270129e048044cc8559fe9a415ef3d6.exe

  • Size

    14KB

  • MD5

    1270129e048044cc8559fe9a415ef3d6

  • SHA1

    f778d1454743f681de39a8117f2c2fc17b140731

  • SHA256

    e9d6d940ea9eb9d44accbecc9de6b28bf71fb1583b72f1627987c76c50186475

  • SHA512

    e3eaa0de8e4453da3684888b392fd3fc90460d80f7d5b52b1cc8b1e4c1042d6aa61e6910cbbfd9c935902d97bd7cd97944999026298e4e8667692e24944356ae

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh4cz2:hDXWipuE+K3/SSHgx72

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1270129e048044cc8559fe9a415ef3d6.exe
    "C:\Users\Admin\AppData\Local\Temp\1270129e048044cc8559fe9a415ef3d6.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1072
    • C:\Users\Admin\AppData\Local\Temp\DEM5340.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5340.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3508
      • C:\Users\Admin\AppData\Local\Temp\DEMA921.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMA921.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2028
        • C:\Users\Admin\AppData\Local\Temp\DEMFF20.exe
          "C:\Users\Admin\AppData\Local\Temp\DEMFF20.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2220
          • C:\Users\Admin\AppData\Local\Temp\DEM553F.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM553F.exe"
            5⤵
            • Executes dropped EXE
            PID:4688
            • C:\Users\Admin\AppData\Local\Temp\DEMAB20.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMAB20.exe"
              6⤵
                PID:2888
                • C:\Users\Admin\AppData\Local\Temp\DEM54.exe
                  "C:\Users\Admin\AppData\Local\Temp\DEM54.exe"
                  7⤵
                    PID:3248

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\DEM5340.exe

        Filesize

        14KB

        MD5

        3f0b648f51291814aa82eb2bce7a3c3e

        SHA1

        a0507b8d2e6e4270a280c087235bb3b909ecf2c5

        SHA256

        181f07f055e64c122d1bd5b273301d44d20bad6bcc57224d0d61bd04e06fdd1b

        SHA512

        701a22e22fe5797776607cd6f52e967815cdf2d4b12a90e73797c3742ad0b230cf608c4f9adaac847af2b64b7c700a1712720084677d37fba3730a9898d61d4b

      • C:\Users\Admin\AppData\Local\Temp\DEM54.exe

        Filesize

        14KB

        MD5

        95444edf05b77bfa82c84bb9564022e6

        SHA1

        2f9f108c9fb9a27442f2c26646f88e5a88594adb

        SHA256

        52e5ef977027698e1846db16dcfd647b84cb58adfa948bce9d992e286d556914

        SHA512

        6ba853dcea82f9ea27480c2b507fb4ff560ef7ddcc5798454f5e546092a2ffc0ea956453bf8871ad324d0d3aaba44184f9393eecd956acae9cbfadad357574e4

      • C:\Users\Admin\AppData\Local\Temp\DEM553F.exe

        Filesize

        14KB

        MD5

        70de0b2e5a7c138fc11d953e3783ccf2

        SHA1

        6f0f442a87d859970b656961906cfe892e3984cc

        SHA256

        3c0362a3919ff21848bcb681e900712598f42e1791d250faf2baa9eb99a955b9

        SHA512

        f19a1517512051ea3f20392bf93a2e323b2a26570b814283d634f0cda14c466c5febf2514d244575fe515c29c647c5b61af096f9e30092fe42c0d04d3c0d1a1e

      • C:\Users\Admin\AppData\Local\Temp\DEMA921.exe

        Filesize

        14KB

        MD5

        6f781c6d29040c4214e89de93cc6a990

        SHA1

        49ef6a24791b7386424c6e2da954706f39e96cd9

        SHA256

        92fb222e615618055a42414747d1594b0580f38ce7e00dc70c35d8f8b278538f

        SHA512

        c74a0fb256376c49321d5ebeac062a6b0b3d741f702a22e679ff037b35d42e12a79b779e23c5828234102dcb64250c4bef26aa4f8da509bbd5328fd1dc46ac2a

      • C:\Users\Admin\AppData\Local\Temp\DEMAB20.exe

        Filesize

        14KB

        MD5

        174c1807c7b5dd3dcea7194dc3221fc1

        SHA1

        e476a6eb31cfcd961dfdf46f155bed796cf4c715

        SHA256

        310c7f9780f6d505d9f60fce9cfbe0ee7937cf7ff080ef2c639de4755d65087d

        SHA512

        78834bbec285b120a2997e2954be81bf09317cefabbe0baf3cfe34e90f2f59e13110cff1d1cebf90becc54a80595618deb82efa244bd8cacb867d5b39d980dd8

      • C:\Users\Admin\AppData\Local\Temp\DEMFF20.exe

        Filesize

        14KB

        MD5

        58031b96b9d279065dabef2ebc43fe85

        SHA1

        034ea5b481624c3e3c69d62f5c7f4c4f1b1bc1b2

        SHA256

        7df8badb20dd4f4b8ec2dc59985fd561ad80660df42ebb5531b715de15bba364

        SHA512

        c6b571a3fff7fa123e77aaa6dac09f52a18af01cad8c2e09dc47ac3daaf955d0c8db01ef5e5da6fd8462f3d69d3b02882e95b07e4b9c94b12e1999796c25e5bb