Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
175s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 01:52
Static task
static1
Behavioral task
behavioral1
Sample
0abcac168e9f57bfeaa19d1a0e5dbf9b.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
0abcac168e9f57bfeaa19d1a0e5dbf9b.exe
Resource
win10v2004-20231215-en
General
-
Target
0abcac168e9f57bfeaa19d1a0e5dbf9b.exe
-
Size
440KB
-
MD5
0abcac168e9f57bfeaa19d1a0e5dbf9b
-
SHA1
d248545e0f652b13356a7f3671215f1bdbb8b874
-
SHA256
35e3aa85bd1d97eed8a682a6eed57007b040a1b0b67e2e13a97fc3f2d5be37a8
-
SHA512
91df5115f6e91e51b30bc2c4d6854f53fb15831e2e0c0badb803c2f0721ec7e92ce99f6d60eca93a136c2f3e802fad2a3435cbd06b3c9141ada752f5c1c230cf
-
SSDEEP
6144:5ZunObR8sVImcyYC5JvY5XlCdraWDgfjrfhartBI+zlbKvCB2txqWwKQ3GdYuxPZ:WK+mzMNE/Ds3fM20lHmYWwH3zuxPnIc
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 0abcac168e9f57bfeaa19d1a0e5dbf9b.exe -
Executes dropped EXE 3 IoCs
pid Process 1092 loadwg.exe 4400 dxcyswg.exe 952 GTH60369.exe -
Loads dropped DLL 2 IoCs
pid Process 4400 dxcyswg.exe 952 GTH60369.exe -
resource yara_rule behavioral2/files/0x000200000001e7f9-14.dat upx behavioral2/memory/1092-20-0x0000000000400000-0x00000000004AC000-memory.dmp upx behavioral2/files/0x000200000001e7fa-22.dat upx behavioral2/memory/4400-23-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/1092-30-0x0000000000400000-0x00000000004AC000-memory.dmp upx behavioral2/memory/4400-37-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/1092-43-0x0000000000400000-0x00000000004AC000-memory.dmp upx -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1092-30-0x0000000000400000-0x00000000004AC000-memory.dmp autoit_exe behavioral2/memory/1092-43-0x0000000000400000-0x00000000004AC000-memory.dmp autoit_exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\mmsfc1.dll dxcyswg.exe File created C:\Windows\SysWOW64\comres.dll dxcyswg.exe File created C:\Windows\SysWOW64\GTH60369.exe dxcyswg.exe File created C:\Windows\SysWOW64\mmsfc1.dll dxcyswg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\fOnTs\comres.dll dxcyswg.exe File created C:\Windows\fOnTs\GTH60369.ttf dxcyswg.exe File created C:\Windows\fOnTs\GTH60369.fon dxcyswg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4400 dxcyswg.exe 4400 dxcyswg.exe 952 GTH60369.exe 952 GTH60369.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1092 loadwg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 952 GTH60369.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1692 wrote to memory of 1092 1692 0abcac168e9f57bfeaa19d1a0e5dbf9b.exe 100 PID 1692 wrote to memory of 1092 1692 0abcac168e9f57bfeaa19d1a0e5dbf9b.exe 100 PID 1692 wrote to memory of 1092 1692 0abcac168e9f57bfeaa19d1a0e5dbf9b.exe 100 PID 1092 wrote to memory of 4400 1092 loadwg.exe 104 PID 1092 wrote to memory of 4400 1092 loadwg.exe 104 PID 1092 wrote to memory of 4400 1092 loadwg.exe 104 PID 4400 wrote to memory of 952 4400 dxcyswg.exe 105 PID 4400 wrote to memory of 952 4400 dxcyswg.exe 105 PID 4400 wrote to memory of 952 4400 dxcyswg.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\0abcac168e9f57bfeaa19d1a0e5dbf9b.exe"C:\Users\Admin\AppData\Local\Temp\0abcac168e9f57bfeaa19d1a0e5dbf9b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\dxcyswg.exedxcyswg.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\GTH60369.exeC:\Windows\system32\GTH60369.exe C:\Windows\fOnTs\comres.dll dns C:\Users\Admin\AppData\Local\Temp\RarSFX0\dxcyswg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:952
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD50d728917bfe5d5e43b9683733897e897
SHA1bcd4babb6fe2dd167d9bd53795dddca2e07830b3
SHA25691aca432b8b075f56591f9d868fa6164cbf6c85d91efb636757cc17035fc537a
SHA512afdca009ed96686bcdc69129bc34e54360f9960533f38e618c50a6983bd740f1f946ddb086d360d617ae479cdd2870c0ca33ae163bf979b9628c7851264fd84f
-
Filesize
333KB
MD55a74f1a22e11a717cff8bd4f6f18913d
SHA1459db43f79a38a9d67aeb248328039eb6c77ac43
SHA2560e32d8dbe4d9861956539fa69bc3475bedcf1d02f42807b651d2d699928c1d6a
SHA512bee37a8e334329e4e4fb27f4b9850924aeb2a363d93c770af0dc61ac3b5794b5bf1fecf2978c1cd4a2a0d29a645b49bab78d219480680241792062493249ddaa
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
48KB
MD598c499fccb739ab23b75c0d8b98e0481
SHA10ef5c464823550d5f53dd485e91dabc5d5a1ba0a
SHA256d9d8ce1b86b3978889466ab1b9f46778942d276922bf7533327a493083913087
SHA5129e64ac13e18ab0a518bb85b6612520645b5ab2c9a5359ced943813ba7344714999f25ba0e52240ad2d0c2fefc76552ff43173adc46334ff0b5dba171fb58e4e6
-
Filesize
12KB
MD5500ed35dd00ab4d97149325645fdda56
SHA1030821994984093e48acebce7faea6fff894bd39
SHA2562aae8310f3e8560d5f672a690f49b073b037a2c6f43fc8207443f4194711573f
SHA512666509f6f3f63fae83e777e9bf7050c1f3eaaeffa60d5a06d0d848cb635a2f7424859504fb93f6885554452be12e35efb1ced317335204b0996cf01dc8fdc33b