Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    180s
  • max time network
    186s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/12/2023, 22:35

General

  • Target

    05c3072c5af72f61686f0a9d8bd9661b.exe

  • Size

    446KB

  • MD5

    05c3072c5af72f61686f0a9d8bd9661b

  • SHA1

    8766bb71a8c01fc54e5993db89f8bb10559eb3aa

  • SHA256

    8e09b38ae36b323e544691cad85e3b633d05606183b8668936204ca36d44b125

  • SHA512

    bf8938a548c76766a48c97d39ac213647991ce8910aae9edbd9f55519eb25edb62a595304b43f09de7d623abf1003334ec7b17628f0480f763780e967506ea2c

  • SSDEEP

    6144:5ZunObR8sVImcyYC5Jfz3jzB8kOQIq+3mxkyJIrC+J/pbKvCB23xqy7uXhY7pOKv:WK+mzH/6Y+4hupHQYyqXh6ZyDlaLsiTH

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05c3072c5af72f61686f0a9d8bd9661b.exe
    "C:\Users\Admin\AppData\Local\Temp\05c3072c5af72f61686f0a9d8bd9661b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:864
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:4692
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\xyqjwg.exe
        xyqjwg.exe
        3⤵
        • Executes dropped EXE
        PID:3468
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 288
          4⤵
          • Program crash
          PID:1884
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3468 -ip 3468
    1⤵
      PID:2200

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe

      Filesize

      334KB

      MD5

      bae3eb4767317ba6eb0805347f32c66c

      SHA1

      644ae6e107658e478f15dfce652fcb0e4e493af6

      SHA256

      a982cdae025294cc536d2d429205151e6934dd54b2850af220bed6f58f4c1dfb

      SHA512

      01ce521798e583be251839f53397b104b35aec8800e282496196824163138efc866f553805c330bdf5653b16c215eafb07a0ea08a0fb122a28f0d4d72298160e

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\xyqjwg.exe

      Filesize

      20KB

      MD5

      3c9e4e6f50dd23f58d4f02bc9721e4c7

      SHA1

      9cd1e2f22a9ceca27c00157e4577b5a1d03f4119

      SHA256

      2ef4c3f2a93369d3812d20db2c002405e0eb1df5a6c649bd69e6a3cb2a100305

      SHA512

      906da2819da1a2df33524471e647192a019044a327b2e5f692917c4c89559011aed5f1c836fc5c222a3aa36d07e98c4061350033cc8fcabfc1e992aae77c63ff

    • memory/864-4-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/864-18-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/4692-14-0x0000000000400000-0x00000000004AC000-memory.dmp

      Filesize

      688KB

    • memory/4692-19-0x0000000000400000-0x00000000004AC000-memory.dmp

      Filesize

      688KB