Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24/12/2023, 15:16
Static task
static1
Behavioral task
behavioral1
Sample
03577bf55d4aefea88aaa1eed68e3a19.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
03577bf55d4aefea88aaa1eed68e3a19.exe
Resource
win10v2004-20231215-en
General
-
Target
03577bf55d4aefea88aaa1eed68e3a19.exe
-
Size
181KB
-
MD5
03577bf55d4aefea88aaa1eed68e3a19
-
SHA1
b993c81ba18ced9d41fc59ac647bea489b2e15f5
-
SHA256
48e12867b2a256b2676efd76f7672bb5a3b111a0304157b98c6c86c7d76b2d5e
-
SHA512
b9997d745b61f8e0e240f6282976bc4897fbcd969be45753d8c9ea0a820f48d75992923d98387f305b2505882e9a58547ff3b18e7d53ca7bd1415f0b1b01f155
-
SSDEEP
3072:1d9xR3G2BZMbBLBaYw0coLujNHIHaTTg4atGleXOMJrbB60FT+bBNXXl:1d93ZBZMbqYgomHIH3eMxF8BNXXl
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation 03577bf55d4aefea88aaa1eed68e3a19.exe Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation inf.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smgr34.exe inf.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smgr34.exe inf.exe -
Executes dropped EXE 2 IoCs
pid Process 1092 inf.exe 2020 smgr34.exe -
Loads dropped DLL 4 IoCs
pid Process 1092 inf.exe 1092 inf.exe 2020 smgr34.exe 2020 smgr34.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\zlib4.dll inf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2144 wrote to memory of 1092 2144 03577bf55d4aefea88aaa1eed68e3a19.exe 40 PID 2144 wrote to memory of 1092 2144 03577bf55d4aefea88aaa1eed68e3a19.exe 40 PID 2144 wrote to memory of 1092 2144 03577bf55d4aefea88aaa1eed68e3a19.exe 40 PID 1092 wrote to memory of 2020 1092 inf.exe 41 PID 1092 wrote to memory of 2020 1092 inf.exe 41 PID 1092 wrote to memory of 2020 1092 inf.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\03577bf55d4aefea88aaa1eed68e3a19.exe"C:\Users\Admin\AppData\Local\Temp\03577bf55d4aefea88aaa1eed68e3a19.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\WINDOWS\inf.exe"C:\Users\Admin\AppData\Local\Temp\WINDOWS\inf.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smgr34.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smgr34.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2020
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD54fb080f215e51616ff645f384c6b282a
SHA1f0803140e2782c78e9a738cae956c6cdb0052ecf
SHA256735ffb87b2e0f7f7ce40cf4e322f2c91bdb7f56ed74272f6383b8e3e2e028589
SHA512e823f1012be897148f461e30de945d3ba53572289789f078d7c01a9afc95d59a5d58a47b1600f88f7c9319ea7966e756818f2a5c8a6808f5c734ded21bbf90f5
-
Filesize
142KB
MD559d245b97444b78e5ea16ae10ecc6dfb
SHA18b0c5e3c294834791577a4bb8ee1c70765ced775
SHA256a4c4846802db2f9511294886f7d98ee518baccff71ad549b0c6de69237419dee
SHA5126eb75c2154b5e2485750d29c1af92a55de8414e2058e78eedc00983062e7161ed56c159cddb49cffa64518624018812f2f3df88fe7e7d6b677f44edcaa3ff340
-
Filesize
151KB
MD55d7a4013f4da7be570ed30c1992563b2
SHA19ee822d06a31c9a3e7b0d1951a9ce1467e729b1a
SHA256a27d35302b792fa25ca285eca7ca0321a6e1e14531be6cfc77c154e280223c4b
SHA512a5f04ba5b932df8a6bfcc05cd54811726e76a86a4975fc5b85394906a3d57cebe040d76f09262c8c041870b92493af9f207471c0bdd3f9aee8ced205c9be01d5