Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 06:44
Static task
static1
Behavioral task
behavioral1
Sample
2c136aa55d66577608f8d74d3ff0d1cc.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2c136aa55d66577608f8d74d3ff0d1cc.exe
Resource
win10v2004-20231215-en
General
-
Target
2c136aa55d66577608f8d74d3ff0d1cc.exe
-
Size
2KB
-
MD5
2c136aa55d66577608f8d74d3ff0d1cc
-
SHA1
516ecb3377bebffd5cc6a73b012e8990fdb66be0
-
SHA256
1e539e4edb08c5fd4a091ca8b96c44e3c3c11034483b9a75d184c5affca68a03
-
SHA512
efee1ddfd4834d68a70c5bc6bc1a5336420458dd735e7369027758a3347b9fefa2ba37a864536dfba339e46c61d9df961307e819b40fd6f7eae316da20ec20fb
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation 2c136aa55d66577608f8d74d3ff0d1cc.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\regedit.exe attrib.exe -
Drops file in Windows directory 25 IoCs
description ioc Process File opened for modification C:\Windows\setuperr.log attrib.exe File opened for modification C:\Windows\win.ini attrib.exe File opened for modification C:\Windows\Globalization\ICU\icudtl.dat cmd.exe File opened for modification C:\Windows\SysmonDrv.sys attrib.exe File opened for modification C:\Windows\winhlp32.exe attrib.exe File opened for modification C:\Windows\hh.exe attrib.exe File opened for modification C:\Windows\lsasetup.log attrib.exe File opened for modification C:\Windows\splwow64.exe attrib.exe File opened for modification C:\Windows\WindowsUpdate.log attrib.exe File opened for modification C:\Windows\bfsvc.exe attrib.exe File opened for modification C:\Windows\twain_32.dll attrib.exe File opened for modification C:\Windows\WMSysPr9.prx attrib.exe File opened for modification C:\Windows\write.exe attrib.exe File opened for modification C:\Windows\bootstat.dat attrib.exe File opened for modification C:\Windows\HelpPane.exe attrib.exe File opened for modification C:\Windows\Professional.xml attrib.exe File opened for modification C:\Windows\setupact.log attrib.exe File opened for modification C:\Windows\notepad.exe attrib.exe File opened for modification C:\Windows\explorer.exe attrib.exe File opened for modification C:\Windows\WindowsShell.Manifest attrib.exe File opened for modification C:\Windows\DtcInstall.log attrib.exe File opened for modification C:\Windows\mib.bin attrib.exe File opened for modification C:\Windows\PFRO.log attrib.exe File opened for modification C:\Windows\sysmon.exe attrib.exe File opened for modification C:\Windows\system.ini attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3208 wrote to memory of 5060 3208 2c136aa55d66577608f8d74d3ff0d1cc.exe 89 PID 3208 wrote to memory of 5060 3208 2c136aa55d66577608f8d74d3ff0d1cc.exe 89 PID 3208 wrote to memory of 5060 3208 2c136aa55d66577608f8d74d3ff0d1cc.exe 89 PID 5060 wrote to memory of 760 5060 cmd.exe 91 PID 5060 wrote to memory of 760 5060 cmd.exe 91 PID 5060 wrote to memory of 760 5060 cmd.exe 91 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 760 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c136aa55d66577608f8d74d3ff0d1cc.exe"C:\Users\Admin\AppData\Local\Temp\2c136aa55d66577608f8d74d3ff0d1cc.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\c0ldW4ff3lz.bat" "2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\attrib.exeATTRIB -S -H -R -A C:\Windows\*3⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Views/modifies file attributes
PID:760
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5ac6dc4ca9cd7dfc654f8994603163ad7
SHA1190b3c2d7268a1526b7cf6c3e9d5a2ac400e151f
SHA256fc94bbf991dfc7e5ece390ec84b0f93b21aeac47667a90d302ee382764cfa820
SHA5120c34191973e299c803be4aa439a56791ba5ad6db7bf17981978167724c133f1016006871d0a4919ca53d61dc6c2dedf625efa94d205a5b4efdae9e254aafde8c