Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/12/2023, 13:22

General

  • Target

    31848b6fbbdc84b05dce3bbf3816b87b.exe

  • Size

    15KB

  • MD5

    31848b6fbbdc84b05dce3bbf3816b87b

  • SHA1

    887fe0a9ae994a51d2e2f095eb841783042e7b54

  • SHA256

    d633b41e8a8a70204709898f8f4c37a550ef847a96c2263f32f127d1905e85f3

  • SHA512

    31f8b800f87de8da3648e2ebab2cd422b1e05dad8f7d14fd994232d9e275d3ee7211c1dfa164bc702c62cc147b9c0a40ec9e46ecebf3718731d617c3c964f0a8

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYKB2FG:hDXWipuE+K3/SSHgxmKEFG

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\31848b6fbbdc84b05dce3bbf3816b87b.exe
    "C:\Users\Admin\AppData\Local\Temp\31848b6fbbdc84b05dce3bbf3816b87b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3080
    • C:\Users\Admin\AppData\Local\Temp\DEM65DE.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM65DE.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\Users\Admin\AppData\Local\Temp\DEMBEEB.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMBEEB.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:484
        • C:\Users\Admin\AppData\Local\Temp\DEM170D.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM170D.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4316
          • C:\Users\Admin\AppData\Local\Temp\DEM6F30.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM6F30.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4380
            • C:\Users\Admin\AppData\Local\Temp\DEMC668.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMC668.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:3380
              • C:\Users\Admin\AppData\Local\Temp\DEM1E6B.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM1E6B.exe"
                7⤵
                • Executes dropped EXE
                PID:576

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM170D.exe

    Filesize

    15KB

    MD5

    70614d72784f52b5acf0afbebc4af111

    SHA1

    8cd8fcd6913de675721bed0a719fb3bcbfe6a63a

    SHA256

    bceeddb4346f935eee7d9dde05bb5ed2c1c362f4cb9e8354447ad74a634f9e84

    SHA512

    4b7ce4ec1317196c65b20511286c3d23c79781e30868176623486cbb2da04f2d8e3fd7baf18ba5b40dc40a2e2e069a3d40da68bd00e69fc2f13fc2979b0583c8

  • C:\Users\Admin\AppData\Local\Temp\DEM1E6B.exe

    Filesize

    15KB

    MD5

    c0c2c0a527c41019a8e860cf38ca7eb0

    SHA1

    d2b7d6a5f2429f9cc1c8d6e1c3e97f83a6a116bb

    SHA256

    66865560395ed75a43c72cbdb15cdcf0596d1e0656b75d79eaa78ca7aad96a93

    SHA512

    4557f8206ed07cfabffa039c5a9c8db1259fce5cf6e633cdcc9fc27b8a5540b0ff31be316d742bb74979a68a60d01b03abd61389d7434abc1da6b21731ee0600

  • C:\Users\Admin\AppData\Local\Temp\DEM65DE.exe

    Filesize

    15KB

    MD5

    6b07283ffc1cd3b619d0a675efc2ba5a

    SHA1

    d3a88f08367bbee709effcf6d9cccda20fd0295c

    SHA256

    eb9ed83f923ca99d12cb7015913b0719ad91fd5b1b85d3a0437bae08aef34983

    SHA512

    c09ab080d03293ea05d4cdb5600b1017d0fe0d76d704d4e66ac780b6cdac089b2075b377ac9fe0cc1cc590156800941486fccad3aa07b763abe636a09eb68d04

  • C:\Users\Admin\AppData\Local\Temp\DEM6F30.exe

    Filesize

    15KB

    MD5

    1c3e66c24578dc142204384fe37bb4dd

    SHA1

    e9ff3920982a2394fc9021522954f920c540138b

    SHA256

    da26e63c8d55a66f546a5bf6291be1e802a2e3a17915fc93449dc3b3ae251c47

    SHA512

    bcb8ca012c9bc8d682511eca856ada14b1556ff2043f31aa3d83a78e3f64974f2cceb39eccc8ccb700a550ef40e95319699e14b355f7a16e3b864d261dc3f331

  • C:\Users\Admin\AppData\Local\Temp\DEMBEEB.exe

    Filesize

    15KB

    MD5

    ac4248248c4398994fae23d6a2350ee5

    SHA1

    94560f12f9e3bef43fc965878d6e64fb9a835b93

    SHA256

    7bff9b9d5683cdfd82af5ae0b422b75370f210238561c786285a123843a7b822

    SHA512

    dd3dfc2ba033224293eee68cc55a26331225b83560e3f21919582b724f0ad6fe582854e0d9bf699e7098c9a48bbdcd18d4a78ee01b3704a767613a068358f4ef

  • C:\Users\Admin\AppData\Local\Temp\DEMC668.exe

    Filesize

    15KB

    MD5

    4931db5583cd8b0a1a9e25d317167b2e

    SHA1

    22550870df1b8312629bb10193b2ae6a82e5ff71

    SHA256

    90c6219134358a829126406fb1f21d785c25b9d27ae1dc6ffc49fcc7473f49a0

    SHA512

    7e2c8aece3c8f6dab55a4ef5e18fac5763370d705bb2553adf86b1315e81ff8456f0b2d36ff768709bb048f4eeaa6f9095bc91e44cc00c9ebcc60c59af8096c1