Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 05:22
Behavioral task
behavioral1
Sample
07a55baff3f0989cff1932de7c2187ed.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
07a55baff3f0989cff1932de7c2187ed.exe
Resource
win10v2004-20231215-en
General
-
Target
07a55baff3f0989cff1932de7c2187ed.exe
-
Size
186KB
-
MD5
07a55baff3f0989cff1932de7c2187ed
-
SHA1
cc30f57cbd65b98734158f9734d092fb4f65d801
-
SHA256
24a5dfdd46040c38afdd85c6ecb248abdce920b48d423f0b803ee5e30d284375
-
SHA512
b7b0ef41f0a1fb2c880c6beff907d9980aeee0b14c4ec71d920497f709fe7778ca95e54d1a8c8f9cae392ece1bb39ccce8fb3040ea9858afc2e6380b8c556018
-
SSDEEP
3072:DXsEMh4Qi7+x8a4f58GgyQl3RGzD6uiushKnsQjY4PwUsOUIgESo6OJ4:DXsEHQiI8acMlAsuY0OUhzSoY
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation 07a55baff3f0989cff1932de7c2187ed.exe -
Executes dropped EXE 1 IoCs
pid Process 3740 ins2364.exe -
resource yara_rule behavioral2/memory/4260-0-0x0000000000BF0000-0x0000000000C69000-memory.dmp upx behavioral2/memory/4260-19-0x0000000000BF0000-0x0000000000C69000-memory.dmp upx behavioral2/memory/4260-22-0x0000000000BF0000-0x0000000000C69000-memory.dmp upx -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini ins2364.exe File opened for modification C:\Windows\assembly\Desktop.ini ins2364.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly ins2364.exe File created C:\Windows\assembly\Desktop.ini ins2364.exe File opened for modification C:\Windows\assembly\Desktop.ini ins2364.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3740 ins2364.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3740 ins2364.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3740 ins2364.exe 3740 ins2364.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4260 wrote to memory of 3740 4260 07a55baff3f0989cff1932de7c2187ed.exe 91 PID 4260 wrote to memory of 3740 4260 07a55baff3f0989cff1932de7c2187ed.exe 91 PID 4260 wrote to memory of 3740 4260 07a55baff3f0989cff1932de7c2187ed.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\07a55baff3f0989cff1932de7c2187ed.exe"C:\Users\Admin\AppData\Local\Temp\07a55baff3f0989cff1932de7c2187ed.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Users\Admin\AppData\Local\Temp\n2364\ins2364.exe"C:\Users\Admin\AppData\Local\Temp\n2364\ins2364.exe" ins.exe /t102c65da4b9349e0615e908f6c7c28 /e12028019 /u17e89388-634a-11e3-b23b-80c16e6f498c2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3740
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD55653950415888177a9cbb4c7fb8e223e
SHA1a523b9aacb99da11feebda1bf1b27687f839977b
SHA256d2606331b86cb80d05a59ed1055983cf38bc17f3e5bf01543c40decfc67acf45
SHA5126deeac7c1e39d328f6b43c582343cc2026934f36b75287811e677405d74d1f2b524a14de05688172f30a10449238d4a5e6ac96e21c1d341a3fb59cb626b04d96