Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    163s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 18:11

General

  • Target

    33813141d96c8d537b56c00f492b86d8.exe

  • Size

    1.1MB

  • MD5

    33813141d96c8d537b56c00f492b86d8

  • SHA1

    0d8ebbc0889a6ecf599625bb3636bd9a0ff3e680

  • SHA256

    213923d689922f8590cc822d62075841c80dc158b9281f05ec43d9f0de73ad56

  • SHA512

    feb394a73836b87d4383a77f7c6a0178e795ecb213b23d33054b13d9e95102520c6c59f7af14e22abd24d46e62badaf9e395616122bf6f04f7eba385465698db

  • SSDEEP

    12288:6Miy4IadS4ms5I6e66fEheKh6sfC444vk0kfyAfjfym0ArlDrmcZkQoxKk7HA4uO:6bSaE4mvt/H67AfKAr16CkQ8D7xD

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • NSIS installer 4 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\33813141d96c8d537b56c00f492b86d8.exe
    "C:\Users\Admin\AppData\Local\Temp\33813141d96c8d537b56c00f492b86d8.exe"
    1⤵
    • Checks computer location settings
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1140
    • C:\Users\Admin\AppData\Local\Temp\File.exe
      "C:\Users\Admin\AppData\Local\Temp\File.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:692
      • C:\Users\Admin\AppData\Local\Temp\ebjcabfbcebda.exe
        C:\Users\Admin\AppData\Local\Temp\ebjcabfbcebda.exe 6,9,6,2,1,8,2,0,6,7,7 KUdDQjwqMTMaKExPOUpHQzUuIClHPk5OSVBKQUI9KxkoPkBNUkg8OzIxLSotFylBSDw7MBooSUxGPlNCTF1JPjYqMDAuHi5LQ1JQPktZTExKPGBydGozKClqbHQtPENTRSZNSUcnP09ILElIP0gaJj1KSDtJST42KSsoMzU2LTQ3KisrLSgqLjUxLzczGSg+KDcjMygjNCo8RUM8SFIsPEAtQz0eLicfMi8YLUQsNiYrFylCMjUrMRooPS40Jy8fJ0I1NyYqGiZKUE48U0NOWElMQFA/QlE7IClJS0k7T0FTV0NVRjo2GiZKUE48U0NOWEc7RD87HydDWD9YTkxDNx4uPVZFWTxGPkNDTEQ1Hi9CSExOVjxQTk9RRUw2KxomTkZARklZSU5YT0lGOx8nVE03KxkpO00vPBgtUk9HTUNEP11WPUpDSUY+Q0Q7RURNUEw3GShDSllQVEZSSUc+Nm5pb2MfJ1BFTk5LSEBIRV5NUUVMWD07UE07MRgtSEM9PlI0Kx4uQVFfPlJHO0RDQV49TENMUklOPD47ZVlqc18ZKD5GUUxLRz9EWUJJNygzNi0pMTcoKykoLRotU0FLRTcqLSwwLjQ4LzQ1Gig9SU5ISk45Ql9OQkY/NC4tMDEtMioqLiQtNDM1Mi41JElGGiZPPzxFbXpjZWVbHCxkNCYuKyJQYmhbaXVyI0xUJS8nKyAlP29oamVRXltFYG4jMV4zMzEnLDAiIklHTEtMHytcJWNjaWQjRWVdZGgjIj1mcWdrZR8rXy4pKC4tKjExKycyKiJNX2VZcGkfK18vKjEsMi4eL09LRTdfbnJvHTFhHytfHylgZWRscC4qKisqXihnbV5tJSxfS29lTmdsXUJvcWdlaVheS2BmX2dfa1heXGpqbnEjMmAqLSwwLjQ4LzQ2HytfKyssNzMuNzcwLx4sXSsyMTEyNjMwLzAcLWQ0Ly4yMCsqLi8wM1hkMzBIPGgzWXRpcERRNGJRTSpuR1JIb0p4L2ZIPW5wTVNBZWI+cG1CYy5xTjoyMEZhMXNDdDdESS5CRE1MKzpKQXNBT0IqbkRzOG5LQkpiYWdhX1MpSGROO2l4RnNGK0VkQ3RFUXNuRHNHbUVnMylMU2VxRz09Y1cxKW1PdD5iXWRIcE47cQ==
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:324
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic /output:C:\Users\Admin\AppData\Local\Temp\81703604547.txt bios get serialnumber
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3048
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic /output:C:\Users\Admin\AppData\Local\Temp\81703604547.txt bios get version
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2100
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic /output:C:\Users\Admin\AppData\Local\Temp\81703604547.txt bios get version
          4⤵
            PID:3824
          • C:\Windows\SysWOW64\Wbem\wmic.exe
            wmic /output:C:\Users\Admin\AppData\Local\Temp\81703604547.txt bios get version
            4⤵
              PID:312
            • C:\Windows\SysWOW64\Wbem\wmic.exe
              wmic /output:C:\Users\Admin\AppData\Local\Temp\81703604547.txt bios get version
              4⤵
                PID:384
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 956
                4⤵
                • Program crash
                PID:2788
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 324 -ip 324
          1⤵
            PID:1088

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\File.exe

            Filesize

            92KB

            MD5

            bac600218861e8da0ceaa34cd4b62f8e

            SHA1

            67eb0013849ec5ed02b768d2fc3e0004df03487e

            SHA256

            6e0ba4d98d1e7f1233f07152183c3ca31086ef0259c2fd1e021857145aed2694

            SHA512

            47c69eb4ef18e40914c8e08bcee714f1f5e40fded9c51a6f6ce05c3198f6665b86da18cb6e288cf84c76711dd7e880d4d8c55e931ae15629ae94001b603b0818

          • memory/1140-0-0x00007FFED4600000-0x00007FFED4FA1000-memory.dmp

            Filesize

            9.6MB

          • memory/1140-2-0x0000000001840000-0x0000000001850000-memory.dmp

            Filesize

            64KB

          • memory/1140-1-0x00007FFED4600000-0x00007FFED4FA1000-memory.dmp

            Filesize

            9.6MB

          • memory/1140-18-0x000000001CB70000-0x000000001CBE8000-memory.dmp

            Filesize

            480KB

          • memory/1140-94-0x00007FFED4600000-0x00007FFED4FA1000-memory.dmp

            Filesize

            9.6MB