Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 07:06
Static task
static1
Behavioral task
behavioral1
Sample
11b838aafbea231e6d9ac7b4cd578b83.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
11b838aafbea231e6d9ac7b4cd578b83.exe
Resource
win10v2004-20231215-en
General
-
Target
11b838aafbea231e6d9ac7b4cd578b83.exe
-
Size
1.4MB
-
MD5
11b838aafbea231e6d9ac7b4cd578b83
-
SHA1
1517d0b4608754311f7afcf82e347a765f79ac8f
-
SHA256
0488a07343371881b2d6b461e0c21403aab39b8fbe669814ed70c850ec4eebe1
-
SHA512
a185fd320dbfcfd8a39cfdfc26fb906807aa0f37b62aae676b98db424c3c4c3e42243ab75ccb4b89e1bd4e6ed4cb04eb50698935bd9b3ad163d580c7f673be54
-
SSDEEP
24576:2FRukAzt8uSHp8X9V0ESdQpglO1CxDyawn27h+9hrlgKQY9SGcZwCdTp:G0k2t8TmX9V0RIglO1CuL9VNcaCd9
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation 11b838aafbea231e6d9ac7b4cd578b83.exe -
Executes dropped EXE 4 IoCs
pid Process 4776 ResHacker.exe 4548 tmp.tmp.tmp1 4940 appl_.exe 4016 vpchowp.exe -
resource yara_rule behavioral2/files/0x0003000000022765-19.dat upx behavioral2/memory/4548-21-0x0000000000400000-0x0000000000501000-memory.dmp upx behavioral2/files/0x0003000000022765-20.dat upx behavioral2/memory/4548-25-0x0000000000400000-0x0000000000501000-memory.dmp upx behavioral2/memory/4548-29-0x0000000000400000-0x0000000000501000-memory.dmp upx behavioral2/files/0x0009000000023225-34.dat upx behavioral2/files/0x0009000000023225-35.dat upx behavioral2/memory/4940-36-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/files/0x0009000000023138-40.dat upx behavioral2/memory/4016-43-0x0000000000400000-0x0000000000501000-memory.dmp upx behavioral2/memory/4548-44-0x0000000000400000-0x0000000000501000-memory.dmp upx behavioral2/memory/4940-47-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/4016-48-0x0000000000400000-0x0000000000501000-memory.dmp upx behavioral2/memory/4940-50-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/4940-62-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/4016-63-0x0000000000400000-0x0000000000501000-memory.dmp upx behavioral2/memory/4940-66-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/4940-75-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/4940-81-0x0000000000400000-0x0000000000457000-memory.dmp upx -
Unexpected DNS network traffic destination 11 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 63.201.251.38 Destination IP 199.5.46.164 Destination IP 66.54.140.10 Destination IP 129.15.1.21 Destination IP 128.163.1.6 Destination IP 198.182.60.76 Destination IP 128.227.128.254 Destination IP 192.61.61.40 Destination IP 129.171.97.1 Destination IP 129.237.32.2 Destination IP 209.87.64.70 -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 appl_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\tmp.tmp.tmp1 11b838aafbea231e6d9ac7b4cd578b83.exe File created C:\Windows\vpchowp.exe tmp.tmp.tmp1 File created C:\Windows\appl_.exe tmp.tmp.tmp1 File opened for modification C:\Windows\ResHacker.exe 11b838aafbea231e6d9ac7b4cd578b83.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\hardware\DESCRIPTION\System\CentralProcessor\0 tmp.tmp.tmp1 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier tmp.tmp.tmp1 Key opened \REGISTRY\MACHINE\hardware\DESCRIPTION\System\CentralProcessor\0 vpchowp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier vpchowp.exe -
Suspicious use of SetWindowsHookEx 37 IoCs
pid Process 3596 11b838aafbea231e6d9ac7b4cd578b83.exe 4940 appl_.exe 4940 appl_.exe 4940 appl_.exe 4940 appl_.exe 4940 appl_.exe 4940 appl_.exe 4940 appl_.exe 4940 appl_.exe 4940 appl_.exe 4940 appl_.exe 4940 appl_.exe 4940 appl_.exe 4940 appl_.exe 4940 appl_.exe 4940 appl_.exe 4940 appl_.exe 4940 appl_.exe 4940 appl_.exe 4940 appl_.exe 4940 appl_.exe 4940 appl_.exe 4940 appl_.exe 4940 appl_.exe 4940 appl_.exe 4940 appl_.exe 4940 appl_.exe 4940 appl_.exe 4940 appl_.exe 4940 appl_.exe 4940 appl_.exe 4940 appl_.exe 4940 appl_.exe 4940 appl_.exe 4940 appl_.exe 4940 appl_.exe 4940 appl_.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3596 wrote to memory of 4776 3596 11b838aafbea231e6d9ac7b4cd578b83.exe 91 PID 3596 wrote to memory of 4776 3596 11b838aafbea231e6d9ac7b4cd578b83.exe 91 PID 3596 wrote to memory of 4776 3596 11b838aafbea231e6d9ac7b4cd578b83.exe 91 PID 3596 wrote to memory of 4548 3596 11b838aafbea231e6d9ac7b4cd578b83.exe 92 PID 3596 wrote to memory of 4548 3596 11b838aafbea231e6d9ac7b4cd578b83.exe 92 PID 3596 wrote to memory of 4548 3596 11b838aafbea231e6d9ac7b4cd578b83.exe 92 PID 4548 wrote to memory of 4940 4548 tmp.tmp.tmp1 94 PID 4548 wrote to memory of 4940 4548 tmp.tmp.tmp1 94 PID 4548 wrote to memory of 4940 4548 tmp.tmp.tmp1 94 PID 4548 wrote to memory of 4016 4548 tmp.tmp.tmp1 95 PID 4548 wrote to memory of 4016 4548 tmp.tmp.tmp1 95 PID 4548 wrote to memory of 4016 4548 tmp.tmp.tmp1 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\11b838aafbea231e6d9ac7b4cd578b83.exe"C:\Users\Admin\AppData\Local\Temp\11b838aafbea231e6d9ac7b4cd578b83.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\ResHacker.exe"C:\Windows\ResHacker.exe"2⤵
- Executes dropped EXE
PID:4776
-
-
C:\Windows\tmp.tmp.tmp1C:\Windows\tmp.tmp.tmp12⤵
- Executes dropped EXE
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\appl_.exeC:\Windows\appl_.exe3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:4940
-
-
C:\Windows\vpchowp.exeC:\Windows\vpchowp.exe3⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4016
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
600B
MD5aa6f443d1fcb18218b7e5b7c2b9901ff
SHA109652d417b4072c4e4ea77619f3cc9c5aa8f1d84
SHA25654d69c529f17a2f6c50508db645a15bebe399745f0ec01d6431a5ef9e1b8436d
SHA512c6596ce55fef7520621e1ee1bb5d7a2fa8c3aaa58340db145ca1c7fd2b2705c2c202c2d31bca55754dca1a08fcaa51b383c46aaa51cbc7614148f475239b8607
-
Filesize
226KB
MD5a60050e3b6e97d23dcf24c0c8802e9e6
SHA174a70b845cc505e1d6883f9fe40e73d2400f0e58
SHA256dc46905c14c7dfa1e00c861eecf206ccf80add3fa7b165a2b5db7371c69bcad0
SHA512db271e0676225068f4eca2231b6cb2a91e09bbfdb4a18e2d79fa5e6a60d2dc40f4e37c40528d96a8a40b3ef64a07f512fb1e8c85ae005d12e4e3c5fadde917b4
-
Filesize
92KB
MD5b544cbb837710e12a5eb32245e32b21b
SHA121ad9730b120b5d856e1b56fe4cfdabb65bf51e1
SHA2562dcd4bce40eeb7e9ab4a45d69d2ef8f4a772159d046f55853877ed5dc6e2ea60
SHA5124475d254b5360046f490077219741eedbb38128bd3dc2a933682169f526ba8269596ce23bb71804d26d6457e6e8c18fdd3bfe5af70b57ce626631d4e147ed0e1
-
Filesize
38KB
MD5760e48bff510a8d59b1bb439802dd6ad
SHA1cc09e3cd289112136728725343aee0edf38c61c3
SHA256b9588f1955d478fc80a86ee8e07e9a890ba41acbbcbb61300d2236e68dd0c9bb
SHA512354426686e4d7f487db289338acf3464b5659aed11caf886c584262b73d85f46c251af0763820702393d2678742cf0dea1bfdd8fa834e7374a182d0c1f2bed29
-
Filesize
138KB
MD54e3a66482ef96368251d91b4f5ae0fda
SHA1ae11939b6838f36e1674ca6b5e2128c12423e34a
SHA25642140f5624e3a8f8ca31dc835d5d1f4594310d4decd7ca7209dfd8f57a162ead
SHA512398f73de661001acdf0ff547c37b1cbfa504c6653a9248655238941d1444608e54de22e486d53dbfa72f7f6662c085cdf634907040e38a59ba3d495cb4f3d38b
-
Filesize
119KB
MD5549d2c6157ec6a67b7735c4abd9f406a
SHA16b296eaf1224a8025efb118427e4cbf1b653bfcb
SHA25601daf419ab34124661a5d95cebd05155d61568b4eeab103d89ec71ae3aae8e20
SHA51280656beee5211230033a747cac84fd540c1992d2a4c637346cba2a621e24c2869cc119ff902cfd3e57523bf94c6fc105de97a52d7b5f51fa4d248f51cbe6e8da
-
Filesize
57KB
MD535d91dcf6880e27c7ecdf9516bfea330
SHA10ef767083fe6f3553bce15610ba9c67fe5ea7f2a
SHA256bfe21d2e42e6ed531925d24e65bf00bd3d8a986637c5e6a58afabc5037da5086
SHA51223ae0ac373ae7647d5be2f6e6d5d4afddc348ce1fd85ec5601e8c401dc14041f58abd287d18efdea9beae9d3883f694cbf7c2a1395ee0cbb741e99786aa70cee
-
Filesize
61KB
MD506434d788c75779ac707a19836a301fb
SHA1e21480615017a56227afc47f2ee4a2072a85959b
SHA2565fb8a50338a2f3b1f68240585d1e50667fb83fab92d0e38845da2c3050a4b46b
SHA5126773b6256e70835f8283541af82c1693210282cf70516f9e933fd9bf65fd2dd8e951b0a3e80007200db9a7a50af09d3adc19832a51755be38cfababe14a0ee1d
-
Filesize
501KB
MD5e787b1d9b29ea72e85f357552138ec2d
SHA126686c32ebfe99f389543d540cd42f83b8acf205
SHA256177ea3810318390ef02b5a155c41d9a7532f44d2044168cb5eb80a48da500cd6
SHA51255b39d461ee0402cbdc80df93f3a1804b87b9d2618c3c91164d68815d126a433a1ac7587700bd2b8b58aa9971fb1979e984f4b717453163f627ad8de74117412