Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2023, 22:29
Static task
static1
Behavioral task
behavioral1
Sample
05a132213c55150bd7eb19b12a9ec615.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
05a132213c55150bd7eb19b12a9ec615.exe
Resource
win10v2004-20231215-en
General
-
Target
05a132213c55150bd7eb19b12a9ec615.exe
-
Size
1.0MB
-
MD5
05a132213c55150bd7eb19b12a9ec615
-
SHA1
77afc013c1d70ab190cb82bf473e00f9e6ea3bbe
-
SHA256
72150744ee85074592c99946fd4577baee1795e74f5e1cc4afd03d9a9dd50ad8
-
SHA512
b36a7833a0124df7b1601c834247a2a94e8f91916b4a452f3c67e07431d08b4b9398a7cce6dd96908dd707c0c29df5211b5b3391b1da60e1a14cb500a209c162
-
SSDEEP
24576:j41+PU/2ueS8I+IGGyrOjPzLZ+9O1kWQmXKVTzLH:k+PU/2uNn+IGVcHRavmaVH
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 1.exe -
Executes dropped EXE 2 IoCs
pid Process 2888 1.exe 4908 temp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 05a132213c55150bd7eb19b12a9ec615.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process 3752 4908 WerFault.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1376 wrote to memory of 2888 1376 05a132213c55150bd7eb19b12a9ec615.exe 89 PID 1376 wrote to memory of 2888 1376 05a132213c55150bd7eb19b12a9ec615.exe 89 PID 1376 wrote to memory of 2888 1376 05a132213c55150bd7eb19b12a9ec615.exe 89 PID 2888 wrote to memory of 4908 2888 1.exe 96 PID 2888 wrote to memory of 4908 2888 1.exe 96 PID 2888 wrote to memory of 4908 2888 1.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\05a132213c55150bd7eb19b12a9ec615.exe"C:\Users\Admin\AppData\Local\Temp\05a132213c55150bd7eb19b12a9ec615.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\temp.exe"C:\Users\Admin\AppData\Local\Temp\temp.exe"3⤵
- Executes dropped EXE
PID:4908
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4908 -ip 49081⤵PID:5612
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 2641⤵
- Program crash
PID:3752
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5aa971a9ee4f0d153ebbced5de7447914
SHA14bc10b4128d2fd2223625dcc2d56b93fb0aa2732
SHA256be1b6485244457c2c1f8e38175064f1bcbcf69ce45876f9999df731a40b157ae
SHA512d52ecc92d7064c726484ca4d1e09bb9ffa678fddad7c925f447c2a71a02179f5b39bd31501f660f765238b3a366dec9bbfded3dc02c755e3080ef97e9fcac4db