Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 05:12

General

  • Target

    29840309c306d467a1a3319a0cdae275.exe

  • Size

    324KB

  • MD5

    29840309c306d467a1a3319a0cdae275

  • SHA1

    bf1c5e944a2d28f7889d1e6a9cbcdda7e2af5214

  • SHA256

    e30cf1b029a0c9315afe845fc67da97f5ed36d556fe036dafe1abcfa2d50caae

  • SHA512

    2e6c9602524c2e1220b32d1a9ac2d6060ba2fbf3a0649e89bc04d646c0434e552a02a4541495950252eb12376fea5a5f3318b1462f0e47423d535ec23b2c54af

  • SSDEEP

    1536:tOJVn4JLlfLJ0UYFqeXx57B4JN5eCD8SlNDSSvHFRiCCVGCWPaeSe+eooOoaoCoN:QV4JLlfLIl7B4JN5eI4G

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\29840309c306d467a1a3319a0cdae275.exe
    "C:\Users\Admin\AppData\Local\Temp\29840309c306d467a1a3319a0cdae275.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Modifies Internet Explorer start page
    • Suspicious use of WriteProcessMemory
    PID:3888
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\system32\wscript.exe" /nologo C:\WINDOWS\3323.vbs
      2⤵
        PID:4592
      • C:\Users\Admin\AppData\Local\Temp\Del8656.tmp
        C:\Users\Admin\AppData\Local\Temp\Del8656.tmp 1084 "C:\Users\Admin\AppData\Local\Temp\29840309c306d467a1a3319a0cdae275.exe"
        2⤵
        • Checks computer location settings
        • Deletes itself
        • Executes dropped EXE
        • Drops file in Windows directory
        • Modifies Internet Explorer start page
        • Suspicious use of WriteProcessMemory
        PID:2588
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\system32\wscript.exe" /nologo C:\WINDOWS\3323.vbs
      1⤵
        PID:3776

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Del8656.tmp

        Filesize

        324KB

        MD5

        29840309c306d467a1a3319a0cdae275

        SHA1

        bf1c5e944a2d28f7889d1e6a9cbcdda7e2af5214

        SHA256

        e30cf1b029a0c9315afe845fc67da97f5ed36d556fe036dafe1abcfa2d50caae

        SHA512

        2e6c9602524c2e1220b32d1a9ac2d6060ba2fbf3a0649e89bc04d646c0434e552a02a4541495950252eb12376fea5a5f3318b1462f0e47423d535ec23b2c54af

      • C:\WINDOWS\3323.vbs

        Filesize

        266KB

        MD5

        1861b0d15a96f0eab78821ef09f11398

        SHA1

        9931aec4e49a4075ce680ae5e69069f506f4383c

        SHA256

        0981eb96faa65fe1ea7afde1d97184d67970c06ed442919a1173b48e91ad5d54

        SHA512

        2b49cf513a546e43040fe63f99adf1d4cd49510a65c04d68122e398c9e1687fd5b29094261cc5265d92b740e8ee9fad46994a97d32ce86222abc7669afd97415