Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
01/01/2024, 14:52
Static task
static1
Behavioral task
behavioral1
Sample
3d23e9731770f2e6807d4ee80bcbfefc.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
3d23e9731770f2e6807d4ee80bcbfefc.exe
Resource
win10v2004-20231215-en
General
-
Target
3d23e9731770f2e6807d4ee80bcbfefc.exe
-
Size
124KB
-
MD5
3d23e9731770f2e6807d4ee80bcbfefc
-
SHA1
08d8710e5a7f6e08f750bb683053362dc1ce8d47
-
SHA256
e8761a2580f6fd93efe25e688e51aae28078923459aa03a6866e11959b516612
-
SHA512
92eabebd2dc3cdcb71003805173d03db06e620918ec3f460983884816c303e0805cfb6e0da1ad3dc11c534fbcde5dad813b2fb5442239582a39d5f7746bda90c
-
SSDEEP
3072:SHuAbDp/7uv/ATQPFzKfwsHjrw0b4B6WAz62W7QnJyR7GEXsT:vAbD5CH1zKfwsXwG2PbmnIAw2
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation 3d23e9731770f2e6807d4ee80bcbfefc.exe -
Executes dropped EXE 1 IoCs
pid Process 3088 2.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\2.exe 3d23e9731770f2e6807d4ee80bcbfefc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1928 3d23e9731770f2e6807d4ee80bcbfefc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1928 wrote to memory of 3088 1928 3d23e9731770f2e6807d4ee80bcbfefc.exe 90 PID 1928 wrote to memory of 3088 1928 3d23e9731770f2e6807d4ee80bcbfefc.exe 90 PID 1928 wrote to memory of 3088 1928 3d23e9731770f2e6807d4ee80bcbfefc.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d23e9731770f2e6807d4ee80bcbfefc.exe"C:\Users\Admin\AppData\Local\Temp\3d23e9731770f2e6807d4ee80bcbfefc.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\2.exe"C:\Windows\2.exe"2⤵
- Executes dropped EXE
PID:3088
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
115KB
MD510570e62dde13a7045111510304bc3c5
SHA1ce631a1559c2fc56e940d034c7b5ba5804fbdf08
SHA25649b35bff979169b2c8c6b63c04da3a37b866e7f3ace3b1080b1a43b0719d3f4a
SHA512143e25c54369b319c7b7d66e1bfa635c7dae0373d8389fcaea77d86468fa342048f5bce2c9cf453ec476121b1a79729504b0bcf0ce2e8bef62b0ca040b1b134a