Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
01/01/2024, 05:09
Behavioral task
behavioral1
Sample
3bf922c888d36d880d4abb9ab02a2007.exe
Resource
win7-20231215-en
General
-
Target
3bf922c888d36d880d4abb9ab02a2007.exe
-
Size
8KB
-
MD5
3bf922c888d36d880d4abb9ab02a2007
-
SHA1
882798e4aa557a7d6b49a27a86dd93f13fd7ad40
-
SHA256
e52fdf6405eea5e2619e4882658a9109ea803ead950dca8f0638aadd2ceaeee0
-
SHA512
f10337efe36e8f2124328a1e62e51433c6f3b3645897f2dc63f883321356f7268047cce6f84f890600b29a472861be4664a837d1f41b1bcff89a69b7953d2cd7
-
SSDEEP
192:zWizBojjLY2W9cOp1fFaNJhLkwcud2DH9VwGfctlnO:zuU2C3daNJawcudoD7Ui
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation 3bf922c888d36d880d4abb9ab02a2007.exe Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation b2e.exe -
Executes dropped EXE 1 IoCs
pid Process 1072 b2e.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 4904 icacls.exe -
resource yara_rule behavioral2/memory/860-0-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral2/memory/860-9-0x0000000000400000-0x000000000040A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 860 wrote to memory of 1072 860 3bf922c888d36d880d4abb9ab02a2007.exe 21 PID 860 wrote to memory of 1072 860 3bf922c888d36d880d4abb9ab02a2007.exe 21 PID 860 wrote to memory of 1072 860 3bf922c888d36d880d4abb9ab02a2007.exe 21 PID 1072 wrote to memory of 1740 1072 b2e.exe 23 PID 1072 wrote to memory of 1740 1072 b2e.exe 23 PID 1072 wrote to memory of 1740 1072 b2e.exe 23 PID 1740 wrote to memory of 5004 1740 cmd.exe 26 PID 1740 wrote to memory of 5004 1740 cmd.exe 26 PID 5004 wrote to memory of 4904 5004 java.exe 44 PID 5004 wrote to memory of 4904 5004 java.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bf922c888d36d880d4abb9ab02a2007.exe"C:\Users\Admin\AppData\Local\Temp\3bf922c888d36d880d4abb9ab02a2007.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Users\Admin\AppData\Local\Temp\4362.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\4362.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\4362.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\3bf922c888d36d880d4abb9ab02a2007.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\448B.tmp\batfile.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -Xmx256m client 1 live live software members english game14⤵
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M5⤵
- Modifies file permissions
PID:4904
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5939a888808a8da6e1f8fe8a7a535d2a2
SHA19bc1c8aea0ad2d4afc8ccdb10983d5042a42580a
SHA2567b90facaba5111fff1f9da6c3b92ca9c884ee56e4a2f4324dbbe0e75352f1fb8
SHA5129e9028b7f7b3ee4daa2d96517c461420db1020eab110089dda65400634e9a5c8a92ce5c5c87f37a814acc52a286934ee33ac13f4521f997b44c2322fd0238b12