Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 01:46
Static task
static1
Behavioral task
behavioral1
Sample
234ae080b7834ff4af76d1259da42432.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
234ae080b7834ff4af76d1259da42432.exe
Resource
win10v2004-20231215-en
General
-
Target
234ae080b7834ff4af76d1259da42432.exe
-
Size
105KB
-
MD5
234ae080b7834ff4af76d1259da42432
-
SHA1
db7f75a1ec1c7940b449fb77ac0b7a2fddc9de1a
-
SHA256
48d6ab9e9deb2b1b278ccbdcd923ba5b4f3d6ff14f49cca4ed190c706ce21053
-
SHA512
689adbe8cce56d03285c77d28e4204adf096ef2a05f4c641012e224757a21465282d3734ee326b4ca1234e73f48155f303fcd1b1f9583384a0d202ebe1cb7e20
-
SSDEEP
3072:SCXELNZ8Vt4QQCJIjUmtyx7Wj5gvTTv7nq9vtp:rX88VCkIjj+7uSrHq9vtp
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation 234ae080b7834ff4af76d1259da42432.exe -
Executes dropped EXE 1 IoCs
pid Process 5068 rb.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\rb.exe 234ae080b7834ff4af76d1259da42432.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2132 5068 WerFault.exe 88 -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1380 234ae080b7834ff4af76d1259da42432.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1380 wrote to memory of 5068 1380 234ae080b7834ff4af76d1259da42432.exe 88 PID 1380 wrote to memory of 5068 1380 234ae080b7834ff4af76d1259da42432.exe 88 PID 1380 wrote to memory of 5068 1380 234ae080b7834ff4af76d1259da42432.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\234ae080b7834ff4af76d1259da42432.exe"C:\Users\Admin\AppData\Local\Temp\234ae080b7834ff4af76d1259da42432.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\rb.exe"C:\Windows\rb.exe"2⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 2283⤵
- Program crash
PID:2132
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 5068 -ip 50681⤵PID:1464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91KB
MD5ea68903451b0a6f11921b8d80cd03926
SHA1f56527ffb9a9655ea51ca850ed87b27ebe9f3486
SHA256d87d13a2fddd1ed838fa9e14fc47e894d8f7fcb3f5301ceb52a125e79d6bcd97
SHA512ab3718651468735b75fef3711b97a7b179ebd621bcb74723b4b72dc295668afabb383f065b80ad5174bcc6fb3376f23e49353cffb28cc65818ec70a8ed9108c9