Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 03:59
Static task
static1
Behavioral task
behavioral1
Sample
0db271959c6498e6ac93f42f70edd7fd.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0db271959c6498e6ac93f42f70edd7fd.exe
Resource
win10v2004-20231215-en
General
-
Target
0db271959c6498e6ac93f42f70edd7fd.exe
-
Size
78KB
-
MD5
0db271959c6498e6ac93f42f70edd7fd
-
SHA1
0ee7c3e155b3aa1c8a2755524a074e5e9d27c460
-
SHA256
27e1ad7e5df8b547ab69367b629661af0cd4b8386aa4d7d4cf05816d8b3e68ba
-
SHA512
9d99d2823c2290d5c45da426b81dc551ae8fbdcd1e36ef30d255b0dedd9d4e2469e83ce904e07b496250e47b13e0c2f4ab1298dd6d1411df4d640ad5fa7821ac
-
SSDEEP
1536:RR8jgVoGs8pQjci3Qi6mDfq+TKsySfizW7KsdN36M/w6YZ8:YjasFgi3pySay7KS/w58
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation 0db271959c6498e6ac93f42f70edd7fd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 0db271959c6498e6ac93f42f70edd7fd.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1648 wrote to memory of 2912 1648 0db271959c6498e6ac93f42f70edd7fd.exe 91 PID 1648 wrote to memory of 2912 1648 0db271959c6498e6ac93f42f70edd7fd.exe 91 PID 1648 wrote to memory of 2912 1648 0db271959c6498e6ac93f42f70edd7fd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\0db271959c6498e6ac93f42f70edd7fd.exe"C:\Users\Admin\AppData\Local\Temp\0db271959c6498e6ac93f42f70edd7fd.exe"1⤵
- Checks computer location settings
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Wpf..bat" > nul 2> nul2⤵PID:2912
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210B
MD5d6ee1140aa8be30cf602b3a7c04db323
SHA1363d1e05d003ca59c3f5170f7fddc87deece2ec0
SHA2569e7f52d44671255051309e4021d40e4b690e4d48d82e2a729adbb5ebde77f726
SHA512f2f780d1066fce6fa1e4b336de1a3943a575e67d2ea894a66d85a2c7a1d7232cb017bd6ec9ed7eebe8fc3479cd9d237f2ac7f2646055bfaa7461cfd7b454b2a9