Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
179s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 08:23
Static task
static1
Behavioral task
behavioral1
Sample
2ef00e66804e808f9c5a4d6a1943cc8a.exe
Resource
win7-20231215-en
General
-
Target
2ef00e66804e808f9c5a4d6a1943cc8a.exe
-
Size
4.2MB
-
MD5
2ef00e66804e808f9c5a4d6a1943cc8a
-
SHA1
6c7a46a69ac5d3f32d047a14c8ce03c1a53ec3a5
-
SHA256
c21010f7c87e95f3df9c061e697437f5a165a194f69c88887ed36c6217b71d48
-
SHA512
01380f1fafd75cd33e413282019305f525c410a2939525babc4ef0d2b529bd12db7349f066724d9ad473ce41c5c5ecf83d9e7cab560c37fb149ac3e3b77afb5c
-
SSDEEP
98304:MosKQ+SGjJLHXW5ru4IufoXqXBEQzpPYKXsJuBfkL3O2s:Mos2SGj93wruGfoXqXBR8uBfL
Malware Config
Extracted
bitrat
1.38
snkno.duckdns.org:43413
-
communication_password
827ccb0eea8a706c4c34a16891f84e7b
-
tor_process
tor
Signatures
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
resource yara_rule behavioral2/memory/3080-7-0x0000000005850000-0x0000000005862000-memory.dmp CustAttr -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation 2ef00e66804e808f9c5a4d6a1943cc8a.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 4852 2ef00e66804e808f9c5a4d6a1943cc8a.exe 4852 2ef00e66804e808f9c5a4d6a1943cc8a.exe 4852 2ef00e66804e808f9c5a4d6a1943cc8a.exe 4852 2ef00e66804e808f9c5a4d6a1943cc8a.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3080 set thread context of 4852 3080 2ef00e66804e808f9c5a4d6a1943cc8a.exe 105 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1964 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 4852 2ef00e66804e808f9c5a4d6a1943cc8a.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4852 2ef00e66804e808f9c5a4d6a1943cc8a.exe 4852 2ef00e66804e808f9c5a4d6a1943cc8a.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3080 wrote to memory of 1964 3080 2ef00e66804e808f9c5a4d6a1943cc8a.exe 103 PID 3080 wrote to memory of 1964 3080 2ef00e66804e808f9c5a4d6a1943cc8a.exe 103 PID 3080 wrote to memory of 1964 3080 2ef00e66804e808f9c5a4d6a1943cc8a.exe 103 PID 3080 wrote to memory of 4852 3080 2ef00e66804e808f9c5a4d6a1943cc8a.exe 105 PID 3080 wrote to memory of 4852 3080 2ef00e66804e808f9c5a4d6a1943cc8a.exe 105 PID 3080 wrote to memory of 4852 3080 2ef00e66804e808f9c5a4d6a1943cc8a.exe 105 PID 3080 wrote to memory of 4852 3080 2ef00e66804e808f9c5a4d6a1943cc8a.exe 105 PID 3080 wrote to memory of 4852 3080 2ef00e66804e808f9c5a4d6a1943cc8a.exe 105 PID 3080 wrote to memory of 4852 3080 2ef00e66804e808f9c5a4d6a1943cc8a.exe 105 PID 3080 wrote to memory of 4852 3080 2ef00e66804e808f9c5a4d6a1943cc8a.exe 105 PID 3080 wrote to memory of 4852 3080 2ef00e66804e808f9c5a4d6a1943cc8a.exe 105 PID 3080 wrote to memory of 4852 3080 2ef00e66804e808f9c5a4d6a1943cc8a.exe 105 PID 3080 wrote to memory of 4852 3080 2ef00e66804e808f9c5a4d6a1943cc8a.exe 105 PID 3080 wrote to memory of 4852 3080 2ef00e66804e808f9c5a4d6a1943cc8a.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ef00e66804e808f9c5a4d6a1943cc8a.exe"C:\Users\Admin\AppData\Local\Temp\2ef00e66804e808f9c5a4d6a1943cc8a.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vrjKuutveP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF98E.tmp"2⤵
- Creates scheduled task(s)
PID:1964
-
-
C:\Users\Admin\AppData\Local\Temp\2ef00e66804e808f9c5a4d6a1943cc8a.exe"C:\Users\Admin\AppData\Local\Temp\2ef00e66804e808f9c5a4d6a1943cc8a.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4852
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55606e5bbf5319b62bbf0706296c60d3a
SHA1243a9b7b1e2c57b69f66aed25c6df03ebae3de45
SHA2561ccfa98bd9853083355b02ca52b9fa1ffc08b12e9c323a5ddf80317e8570260f
SHA5126129d53034d41ee44ab032a554d39ffc545788cb9b827c812a284ee5672e5be2a31743f1f86def3f0036a8d9b7d6cdb5b8293b3f467c43ff6606c98105d069e7