Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 05:59
Static task
static1
Behavioral task
behavioral1
Sample
5853abf213e5cdaeae074d9dbbf6098b.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5853abf213e5cdaeae074d9dbbf6098b.exe
Resource
win10v2004-20231222-en
General
-
Target
5853abf213e5cdaeae074d9dbbf6098b.exe
-
Size
226KB
-
MD5
5853abf213e5cdaeae074d9dbbf6098b
-
SHA1
d4c6d38e5ad574c4e07b33b3c342be45726af04d
-
SHA256
73f4006f8f42d1c5c4644c02513082b5e0c5e15465c667c8de0e2d4a652b1dc4
-
SHA512
2ac3eb5ff36c1dbf2d8a5ec7543ff31449f0da462cb35576a2ab0bb73ae79feac1d91fb3c6f92b2e58cb962d4bcfa0fe8bde16229e199709d16a4eadc47ff691
-
SSDEEP
6144:C1QLJQL0gTTuQ0quhsf7KjMdcornRZAArCgLADMJ82PeAUyFd:x2oITuQ0qugKjzEfbrCnm82PevS
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 5853abf213e5cdaeae074d9dbbf6098b.exe -
Executes dropped EXE 1 IoCs
pid Process 1976 generator.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\directx.exe 5853abf213e5cdaeae074d9dbbf6098b.exe File opened for modification C:\Windows\SysWOW64\directx.exe 5853abf213e5cdaeae074d9dbbf6098b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2552 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2552 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2828 wrote to memory of 1976 2828 5853abf213e5cdaeae074d9dbbf6098b.exe 60 PID 2828 wrote to memory of 1976 2828 5853abf213e5cdaeae074d9dbbf6098b.exe 60 PID 2828 wrote to memory of 1976 2828 5853abf213e5cdaeae074d9dbbf6098b.exe 60
Processes
-
C:\Users\Admin\AppData\Local\Temp\5853abf213e5cdaeae074d9dbbf6098b.exe"C:\Users\Admin\AppData\Local\Temp\5853abf213e5cdaeae074d9dbbf6098b.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\generator.exe"C:\Users\Admin\AppData\Local\Temp\generator.exe"2⤵
- Executes dropped EXE
PID:1976
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x478 0x4f41⤵
- Suspicious use of AdjustPrivilegeToken
PID:2552
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
163KB
MD5ec264de3e9f120078e3f2533e51e1842
SHA1cebb108a745c774d6ba93f9cf9516e54f06dca18
SHA256efd903c2a5382b57068aa06022642d1cdaaba97591f1177503f47b0466f46016
SHA5126095098f0c1610c9a2113938c8a7e7d0ab34d67da75d8d4d87aae1491c0d889ac79f72fd49a71ed2726e8b3183e1f5da8f1231b34b6d81c851e5ec13c3f75a97