Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2023, 13:05
Behavioral task
behavioral1
Sample
97aab0a912875f65ae91d3d67e5b4541.exe
Resource
win7-20231215-en
General
-
Target
97aab0a912875f65ae91d3d67e5b4541.exe
-
Size
441KB
-
MD5
97aab0a912875f65ae91d3d67e5b4541
-
SHA1
dff953da77d139e9f7ecd6292d548d1df0cf46cf
-
SHA256
43a6dbabf9d91478c9763b315004b2066d4f8dd539c223a0813cbba409253c96
-
SHA512
23c9033497f6337811e878f24b43a64f6e3065699d60d31b803b93796988ec186ecfe69c699b11da5322efe0e4f8da7cd5c4c198009db8149315f63f47e40714
-
SSDEEP
6144:oo3wBi+1Py3V0a2WkRNgi3caOHO5NjEwwiYWB5mV4Pzw9ygibGGMRJ2:rKf1PyKa2H3hOHOHz9JQ6zBGI
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.165
218.54.31.226
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation getid.exe Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation 97aab0a912875f65ae91d3d67e5b4541.exe -
Executes dropped EXE 2 IoCs
pid Process 5060 getid.exe 764 nunet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe 764 nunet.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1684 wrote to memory of 5060 1684 97aab0a912875f65ae91d3d67e5b4541.exe 92 PID 1684 wrote to memory of 5060 1684 97aab0a912875f65ae91d3d67e5b4541.exe 92 PID 1684 wrote to memory of 5060 1684 97aab0a912875f65ae91d3d67e5b4541.exe 92 PID 1684 wrote to memory of 4408 1684 97aab0a912875f65ae91d3d67e5b4541.exe 93 PID 1684 wrote to memory of 4408 1684 97aab0a912875f65ae91d3d67e5b4541.exe 93 PID 1684 wrote to memory of 4408 1684 97aab0a912875f65ae91d3d67e5b4541.exe 93 PID 5060 wrote to memory of 764 5060 getid.exe 101 PID 5060 wrote to memory of 764 5060 getid.exe 101 PID 5060 wrote to memory of 764 5060 getid.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\97aab0a912875f65ae91d3d67e5b4541.exe"C:\Users\Admin\AppData\Local\Temp\97aab0a912875f65ae91d3d67e5b4541.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\getid.exe"C:\Users\Admin\AppData\Local\Temp\getid.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Users\Admin\AppData\Local\Temp\nunet.exe"C:\Users\Admin\AppData\Local\Temp\nunet.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:764
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵PID:4408
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
276B
MD5c162196d272eab5db2945ec942a7b4e2
SHA116d11ddc66f802728d038737c937b76012f80399
SHA256a82f0f80b474198dc2df109cf253f3c7fa5d2c3048897eb80a5acf56629058fc
SHA512fb2edfed35fe95cadc67e60348c70ff569d02b7822a22deb44b71016d3891a3b0530976ad963958a1ffb52e3e46ff13aa43b114ce10df28475106e4601e8df64
-
Filesize
441KB
MD5f2399c389b48da1b27a4ebc0b64efb85
SHA1449dbfb43b8fb78b154bcb9394ca490ffcf9b925
SHA256075de5275288b46a78b3cda2d3fa8760fb5b55e0912e8db2bba05da2beda89cb
SHA51286c229832963fb0507b36bdc70cfee21fd73eaaccd94d771376a1014efe3c3295978868be8e676f9b8786000835fcb15c49bb091bd627609b1fb286661f77e37
-
Filesize
512B
MD51cdf9dc1d4e09e05a3019dde9713a5e3
SHA1a418aaa1f269bfb5b7297c2e10b87ee570381f6d
SHA2560f16c6e463aa32eaabf40c660686de5a99f7a41326521eb0dfad70ecbcb2a15c
SHA51276139aa67a53e151076f7328e5e5e12ad3cb2e3cbec4ac0cd675bb20d1fefbf12fc5c14185bdc50fa4808a61be4addaa14747b5aec27df0a279b9e335b75c40e
-
Filesize
230KB
MD5f74c096252b178fe7764d08850e32f72
SHA1434c0f7ae2110977d850fc15c5fd03439765e51b
SHA2564407dbfb5620e8ea7ee209c5202cfdd1e22ae724eb4f97eabf0b85e13c3b7d70
SHA5127f5acfa5223f084a28ad5b4dd001c304632df35ae5ae861c2e078af2d5c0d0bf4c616439dba66e477d98028ede2b97acdc29a1dca45be436c75831884e7e34fc