Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2023, 07:08

General

  • Target

    5b8d865aff0cf1ec17a62dea3eb254e5.exe

  • Size

    270KB

  • MD5

    5b8d865aff0cf1ec17a62dea3eb254e5

  • SHA1

    141f27590bc3daee10de594466622249a7730746

  • SHA256

    6c8e8ba9cad3f96aeb6add6a6e269f9a50434bb9a55c0ec64b559c2dbb1da24c

  • SHA512

    19eba9ed70f3f4375407a256aaf715a56688f0b6cdbfa24681b09345f45aed6629a3ee231bf27f0c88bab89c2bc2dd05e231e7876687d9a4a828c5d8a52deafb

  • SSDEEP

    3072:ep+iCYEphBVgcPvn6RpGlgsr5/0u1cSGo2cbvlvSsoT8LmjcV+lDFWCUwmsMNDeD:FiwvX66lf5jCoBvosUbYsMND/WG7Av9

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5b8d865aff0cf1ec17a62dea3eb254e5.exe
    "C:\Users\Admin\AppData\Local\Temp\5b8d865aff0cf1ec17a62dea3eb254e5.exe"
    1⤵
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:428
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\werwea.dll
      2⤵
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Modifies registry class
      PID:2144

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\werwea.dll

    Filesize

    148KB

    MD5

    32f4c388806e0c6d76c930ca40c1413a

    SHA1

    960f601eae5249781220511a0b122e5b0497f32d

    SHA256

    17773bf9877ae5093752dcd8dc92fc19a4b58ffd31a9e354f1b0e24ca6c472d7

    SHA512

    0cfd5aceb5eb9ad5e6608776008f136697c738e38a9e8bed7ebc7298a9bd910495b8b9ecc49ad3a2ad8382a970511638c2725e20335488edad983b9c09640f6e

  • memory/2144-7-0x00000000005D0000-0x00000000005FA000-memory.dmp

    Filesize

    168KB