Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 09:11
Static task
static1
Behavioral task
behavioral1
Sample
142baf953579056035c731ce4c260ac2.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
142baf953579056035c731ce4c260ac2.exe
Resource
win10v2004-20231215-en
General
-
Target
142baf953579056035c731ce4c260ac2.exe
-
Size
131KB
-
MD5
142baf953579056035c731ce4c260ac2
-
SHA1
87f6c1ed267bd81f2e5379a792edfdeb4d0d69d5
-
SHA256
66c3630fbc1abe0bdd39f168b0aa1c728aabb7dd665f0928f0b12424e9848d46
-
SHA512
ee6ec592db6322fd8070f8dfec008d4ed650b4a9dfc7303ab1637ad5080fd1ab40792549c8014d171d7c515fba9e413206fdce3531c297ced00d50a08d091e6f
-
SSDEEP
3072:/IZsj2j1Ng8G5zmXrZhK95NSHWObS28GQ8BPp3J8wM1ZetR:/IZsjGNpG5aXrZs952bSyQ4Piw
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation 142baf953579056035c731ce4c260ac2.exe -
Executes dropped EXE 1 IoCs
pid Process 1432 2.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\2.exe 142baf953579056035c731ce4c260ac2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2128 142baf953579056035c731ce4c260ac2.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2128 wrote to memory of 1432 2128 142baf953579056035c731ce4c260ac2.exe 69 PID 2128 wrote to memory of 1432 2128 142baf953579056035c731ce4c260ac2.exe 69 PID 2128 wrote to memory of 1432 2128 142baf953579056035c731ce4c260ac2.exe 69
Processes
-
C:\Users\Admin\AppData\Local\Temp\142baf953579056035c731ce4c260ac2.exe"C:\Users\Admin\AppData\Local\Temp\142baf953579056035c731ce4c260ac2.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\2.exe"C:\Windows\2.exe"2⤵
- Executes dropped EXE
PID:1432
-