Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2023, 15:43
Static task
static1
Behavioral task
behavioral1
Sample
de834982155ffcb753b1dd17388cf5dd.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
de834982155ffcb753b1dd17388cf5dd.exe
Resource
win10v2004-20231215-en
General
-
Target
de834982155ffcb753b1dd17388cf5dd.exe
-
Size
239KB
-
MD5
de834982155ffcb753b1dd17388cf5dd
-
SHA1
dce72110af863d0355004c9543703ff7a6581802
-
SHA256
354fe07dce22506e3d3a9bd343ff6a007d3f0ff311ec445a5d0fc0c59f7f336b
-
SHA512
2010eab3fc55723fdf7f317212ad7220f1e7c926786357ede922c543104825d7731c7a2a6896c2e9661fd35987849feb37493b898b76958d3a8d07ed9d65aa5c
-
SSDEEP
3072:/cT9g8immW6Pozkk2eKs/CSr2nQ/E2S5ny+bF2u1I+ddDK7Hlq/B87pjIkgnDpik:o68i3odBiTl2+TCU/WIk8OhuhuIL
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart" de834982155ffcb753b1dd17388cf5dd.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\SHARE_TEMP\Icon12.ico de834982155ffcb753b1dd17388cf5dd.exe File created C:\Windows\SHARE_TEMP\Icon14.ico de834982155ffcb753b1dd17388cf5dd.exe File created C:\Windows\winhash_up.exez de834982155ffcb753b1dd17388cf5dd.exe File created C:\Windows\SHARE_TEMP\Icon10.ico de834982155ffcb753b1dd17388cf5dd.exe File created C:\Windows\SHARE_TEMP\Icon2.ico de834982155ffcb753b1dd17388cf5dd.exe File created C:\Windows\SHARE_TEMP\Icon3.ico de834982155ffcb753b1dd17388cf5dd.exe File created C:\Windows\SHARE_TEMP\Icon5.ico de834982155ffcb753b1dd17388cf5dd.exe File created C:\Windows\SHARE_TEMP\Icon6.ico de834982155ffcb753b1dd17388cf5dd.exe File created C:\Windows\SHARE_TEMP\Icon7.ico de834982155ffcb753b1dd17388cf5dd.exe File created C:\Windows\bugMAKER.bat de834982155ffcb753b1dd17388cf5dd.exe File opened for modification C:\Windows\winhash_up.exez de834982155ffcb753b1dd17388cf5dd.exe File created C:\Windows\winhash_up.exe de834982155ffcb753b1dd17388cf5dd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5056 cmd.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5048 wrote to memory of 5056 5048 de834982155ffcb753b1dd17388cf5dd.exe 89 PID 5048 wrote to memory of 5056 5048 de834982155ffcb753b1dd17388cf5dd.exe 89 PID 5048 wrote to memory of 5056 5048 de834982155ffcb753b1dd17388cf5dd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\de834982155ffcb753b1dd17388cf5dd.exe"C:\Users\Admin\AppData\Local\Temp\de834982155ffcb753b1dd17388cf5dd.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\bugMAKER.bat2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:5056
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76B
MD57c5f8a7484d521f7d95be92d40aa5740
SHA18b242ed07f046858f09d8c14dad9ff6c838dcd09
SHA256630f8da7cbbfaa448ff3cd8f2ec2e13d1dad370f4aee28d1041ca121db5206ac
SHA5122940966574e259ccd55071700d26ff6e8d7e843fa011e2df9de8f9e769d6ac0f66bf5557d558ad1477b0483bf109c1aba33b983165a3efb8024de8320210e784