Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 09:19
Behavioral task
behavioral1
Sample
14303216a7dedb014985b13c58308e73.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
14303216a7dedb014985b13c58308e73.exe
Resource
win10v2004-20231222-en
General
-
Target
14303216a7dedb014985b13c58308e73.exe
-
Size
21KB
-
MD5
14303216a7dedb014985b13c58308e73
-
SHA1
e1553ed898d1e0aa170573b0d3dda1c181b1928c
-
SHA256
c61d23e3bdfd9f6d05583e25c98a24f3313e93d77b47d09f06aa2166752e3c3a
-
SHA512
bd16d8242f3d71c7749060fc134563be7b9e27ab08dce100aa0f3073ed4f28f21c0112c9223e5e3ed3c66338771c861feb05c52c7376581c6e1398fd14a2ec54
-
SSDEEP
384:nshUHuAdwb492W08W8OY2CWNZ597y68iYf1HRjkzgQJd1Axzr6+S9Pfu7n5c:nmUHuzz8W8ByZj7y68vVRjkzgQKxKdeG
Malware Config
Signatures
-
resource yara_rule behavioral2/files/0x000600000001e5df-4.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 14303216a7dedb014985b13c58308e73.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autostart.exe smss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autostart.exe smss.exe -
Executes dropped EXE 1 IoCs
pid Process 3924 smss.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\System\smss.exe 14303216a7dedb014985b13c58308e73.exe File created C:\Program Files\Common Files\System\start.bat smss.exe File created C:\Program Files\Common Files\System\smss.exe 14303216a7dedb014985b13c58308e73.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs regedit.exe 1 IoCs
pid Process 1012 REGEDIT.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3188 wrote to memory of 3924 3188 14303216a7dedb014985b13c58308e73.exe 93 PID 3188 wrote to memory of 3924 3188 14303216a7dedb014985b13c58308e73.exe 93 PID 3188 wrote to memory of 3924 3188 14303216a7dedb014985b13c58308e73.exe 93 PID 3924 wrote to memory of 1012 3924 smss.exe 94 PID 3924 wrote to memory of 1012 3924 smss.exe 94 PID 3924 wrote to memory of 1012 3924 smss.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\14303216a7dedb014985b13c58308e73.exe"C:\Users\Admin\AppData\Local\Temp\14303216a7dedb014985b13c58308e73.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Program Files\Common Files\System\smss.exe"C:\Program Files\Common Files\System\smss.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\REGEDIT.exeREGEDIT /S "C:\Program Files\Common Files\System\start.bat"3⤵
- Runs regedit.exe
PID:1012
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD514303216a7dedb014985b13c58308e73
SHA1e1553ed898d1e0aa170573b0d3dda1c181b1928c
SHA256c61d23e3bdfd9f6d05583e25c98a24f3313e93d77b47d09f06aa2166752e3c3a
SHA512bd16d8242f3d71c7749060fc134563be7b9e27ab08dce100aa0f3073ed4f28f21c0112c9223e5e3ed3c66338771c861feb05c52c7376581c6e1398fd14a2ec54
-
Filesize
291B
MD5239692327ed96d1d23daf92e034275d0
SHA172368106cfe3dbfa6c7c09068df12b4840a8de23
SHA256b70c591470a52b92ded3a5fef8bc6cc2d0169573bb2aa53956024811c4116c3c
SHA512acd5fdc14f16ee7a3f025c742f1077ac1f3459fade751790a64f7bea995195c82be48334cd27ebae5e00a79d1d6a3dbdf468dfc95eba2149b4dbc317df558067