Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 22:55
Behavioral task
behavioral1
Sample
3b45f931cf10857580e832601b463bc3.exe
Resource
win7-20231215-en
General
-
Target
3b45f931cf10857580e832601b463bc3.exe
-
Size
187KB
-
MD5
3b45f931cf10857580e832601b463bc3
-
SHA1
b1c1c1c9cd8a832204fbf09cd673af7a1fee04dc
-
SHA256
ce089fe865d47c7a4b5dbb399229e35b30a939e52797d316fd0ec6f130cf46c8
-
SHA512
5f2ad53658bb9d139e99e0b6b6d64565414a691b75fb180624f836a2d131767e9c91dd5086879f5dec851a5b909f5c227b04a6afe869a45f8312e318c934b245
-
SSDEEP
3072:u3mvqCDm+W03RB5eUp6UlD/mUKissApfA6y4YHFad3:2mvqeP33AYFIN9treHy3
Malware Config
Extracted
urelas
218.54.47.76
218.54.47.77
218.54.47.74
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation 3b45f931cf10857580e832601b463bc3.exe -
Executes dropped EXE 1 IoCs
pid Process 3720 biudfw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4972 wrote to memory of 3720 4972 3b45f931cf10857580e832601b463bc3.exe 94 PID 4972 wrote to memory of 3720 4972 3b45f931cf10857580e832601b463bc3.exe 94 PID 4972 wrote to memory of 3720 4972 3b45f931cf10857580e832601b463bc3.exe 94 PID 4972 wrote to memory of 2952 4972 3b45f931cf10857580e832601b463bc3.exe 92 PID 4972 wrote to memory of 2952 4972 3b45f931cf10857580e832601b463bc3.exe 92 PID 4972 wrote to memory of 2952 4972 3b45f931cf10857580e832601b463bc3.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b45f931cf10857580e832601b463bc3.exe"C:\Users\Admin\AppData\Local\Temp\3b45f931cf10857580e832601b463bc3.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵PID:2952
-
-
C:\Users\Admin\AppData\Local\Temp\biudfw.exe"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"2⤵
- Executes dropped EXE
PID:3720
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187KB
MD57b70255d26849b2fd34ccc5cfd83ced7
SHA1cb765856f83cae17e4c57b1883f3f505439a6294
SHA256cf3f71023774872ada78077bb6c08917a8a10da177474797dd16873cdbb7a148
SHA512eac8e0720a9e15dfccf016a7664c88ffffe26ded0e7d9d9d53c6df4007545641100b18227ae26af55e8a656eea940a461947673f6d35ae8b00c95c50c6934c8c
-
Filesize
512B
MD51e75a7e32613b9d0b73f13b66c2c2f58
SHA1035e2d6ab4ac34190f0e684681098188409e978c
SHA2569f8aa6da5d4cd4a6f17fc229bb965d1f2525d6bc7f70ffba6a13c7e3bbd2a1f3
SHA512e8ba9e9796b506655b9432ed7036383a3eab746a948a18df6e9598e59e6830a834e30bad7455bc22d4ae19a63f051d2aaa57b435594e881130559aac385bd8cf
-
Filesize
274B
MD5cb0a8830fbf20a8d3908fbb84303c4ec
SHA1a0f81f41530ee0c1aa27378475fa2e7a8569f015
SHA256cec8c307ddf35cbe00de0d1c397d1db046fb119bcf55912895087db5e46b5e63
SHA512842f9bf101c568a3731476474f4a7403ffcedf9f68385e57110ff656bf84f6d037eecf8d703acc70389d0cc9a14fb3fcfc0a7548d2c61affa52c4c572e163bf3