Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 03:43
Static task
static1
Behavioral task
behavioral1
Sample
0d50dbd6b7c1009b886c869774026e08.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0d50dbd6b7c1009b886c869774026e08.exe
Resource
win10v2004-20231215-en
General
-
Target
0d50dbd6b7c1009b886c869774026e08.exe
-
Size
696KB
-
MD5
0d50dbd6b7c1009b886c869774026e08
-
SHA1
7e464a2023d8b08b01c171b4e1cb615570362294
-
SHA256
0a1327918b6e25eeb22e76b29d1f6a9a56330dbb9a2a46eb678b3f077c68f788
-
SHA512
5f533ab897b7b901cfa60bad67184d6a26ebacc28a85c67cbf898b995e787fbb26358d5d0d18bf2701ec22019255bf28122424c107302412454a2fb58746addb
-
SSDEEP
12288:ob9cW5vyb8vFgL1LFYg9ysGbcHasDyb/lDfRq9+uJ7zk+nG8R5+YIHf8pw5a4Ec7:LOgJLFIcHb4/VfRq3JhG8RobEpcas9
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4940 CheckVer104.exe 4480 regver.exe -
Loads dropped DLL 3 IoCs
pid Process 1672 0d50dbd6b7c1009b886c869774026e08.exe 1672 0d50dbd6b7c1009b886c869774026e08.exe 1672 0d50dbd6b7c1009b886c869774026e08.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4480 regver.exe 4480 regver.exe 4940 CheckVer104.exe 4940 CheckVer104.exe 4480 regver.exe 4480 regver.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1672 wrote to memory of 4480 1672 0d50dbd6b7c1009b886c869774026e08.exe 89 PID 1672 wrote to memory of 4480 1672 0d50dbd6b7c1009b886c869774026e08.exe 89 PID 1672 wrote to memory of 4480 1672 0d50dbd6b7c1009b886c869774026e08.exe 89 PID 1672 wrote to memory of 4940 1672 0d50dbd6b7c1009b886c869774026e08.exe 88 PID 1672 wrote to memory of 4940 1672 0d50dbd6b7c1009b886c869774026e08.exe 88 PID 1672 wrote to memory of 4940 1672 0d50dbd6b7c1009b886c869774026e08.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d50dbd6b7c1009b886c869774026e08.exe"C:\Users\Admin\AppData\Local\Temp\0d50dbd6b7c1009b886c869774026e08.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\TempImg\CheckVer104.exeC:\Users\Admin\AppData\Local\TempImg\CheckVer104.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4940
-
-
C:\Users\Admin\AppData\Local\TempImg\regver.exeC:\Users\Admin\AppData\Local\TempImg\regver.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4480
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
332KB
MD5fa199dffc4991a36725e1a2d272e787e
SHA168c1db76a8080782e3f450e3f724e4e1564b18f6
SHA25613c8453cb118d3f9d2dc2a1189633ab10162f902758320487f03daf124c4bb9e
SHA5128dc6a2369dc87148ac45cd6ae37f33fcb32c4fd863d17f6166a41c7a4ef40edd6a4da0f57536f382e550add791bf678a5116e0f1cb440649be1b924c3a31a520
-
Filesize
290KB
MD59181b183dd3096301e7211ed0312de8a
SHA10c321747b581ad79da70dc9aab183cc12c3bbefd
SHA256202fcecc53f1ffd2d1d85cc4cc79a24ae37285ce564e15615b5d13ca69487968
SHA5125316e0511746c75603ba02eaf79b9aafbb29356f94279f466d3f17e9894082f14cf052ca3b8f52a149815e8c9b58f5d4b02ef1dcc3d677dc27032480f788adf7
-
Filesize
5KB
MD5a7cd6206240484c8436c66afb12bdfbf
SHA10bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919
SHA25669ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926
SHA512b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904
-
Filesize
11KB
MD500a0194c20ee912257df53bfe258ee4a
SHA1d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA5123b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667