Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 17:32
Static task
static1
Behavioral task
behavioral1
Sample
311f210d67f1aa950a31e4214389f3e9.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
311f210d67f1aa950a31e4214389f3e9.exe
Resource
win10v2004-20231215-en
General
-
Target
311f210d67f1aa950a31e4214389f3e9.exe
-
Size
112KB
-
MD5
311f210d67f1aa950a31e4214389f3e9
-
SHA1
fc5b1b06cc65a4a68f1a2b5a3e5fff47a75654eb
-
SHA256
79f861b4fd1e2aa68123d26fd549dab1a464469f6be98e708154afb50cdbc36e
-
SHA512
8dca5b3335cb4b9ef4f374d7cf487d35e0b256db2b95f6e2b7c4f0b3ac2eb9ef971568edbc698545734849b2ccefafff78df52f487d926094b24a1c709fc55f3
-
SSDEEP
1536:fMg3p/KEL0mrcYRiiVhOuc8JxzzsQIgpaBHRylpus852FK/MrHoFmqckUy:fX//0m4+quc8JZzhIgpwo6sr2FTck
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation 311f210d67f1aa950a31e4214389f3e9.exe -
Executes dropped EXE 1 IoCs
pid Process 3356 Rundll.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 311f210d67f1aa950a31e4214389f3e9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\Rundll.exe \"%1\" %*" 311f210d67f1aa950a31e4214389f3e9.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\Rundll.exe 311f210d67f1aa950a31e4214389f3e9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 804 3356 WerFault.exe 31 -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 311f210d67f1aa950a31e4214389f3e9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\Rundll.exe \"%1\" %*" 311f210d67f1aa950a31e4214389f3e9.exe Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings 311f210d67f1aa950a31e4214389f3e9.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4376 311f210d67f1aa950a31e4214389f3e9.exe 3356 Rundll.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4376 wrote to memory of 3356 4376 311f210d67f1aa950a31e4214389f3e9.exe 31 PID 4376 wrote to memory of 3356 4376 311f210d67f1aa950a31e4214389f3e9.exe 31 PID 4376 wrote to memory of 3356 4376 311f210d67f1aa950a31e4214389f3e9.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\311f210d67f1aa950a31e4214389f3e9.exe"C:\Users\Admin\AppData\Local\Temp\311f210d67f1aa950a31e4214389f3e9.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\Rundll.exe"C:\Windows\SysWow64\Rundll.exe" "C:\Users\Admin\AppData\Local\Temp\311f210d67f1aa950a31e4214389f3e9.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3356 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 4683⤵
- Program crash
PID:804
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3356 -ip 33561⤵PID:640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD5b09573fd2d5c40c6396bc74f094855c9
SHA11b4e9a91576d1d094bb8a563575934df03887f1f
SHA256c29c51c25e4833c5986f8af228f6615fcdfe5b51a83c779c6d233ce77c7f0cfb
SHA512e45e908f6516817c628d39600c678f1e61bc5dd639c3bf8d676ae3092d97646dca27a345739d6e0ffa59478218408df8e3672320c75a662a506b404fb96d6cc8