Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
06/01/2024, 22:39
Static task
static1
Behavioral task
behavioral1
Sample
475972b37cdb3b35a80136909069f0c7.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
475972b37cdb3b35a80136909069f0c7.exe
Resource
win10v2004-20231215-en
General
-
Target
475972b37cdb3b35a80136909069f0c7.exe
-
Size
199KB
-
MD5
475972b37cdb3b35a80136909069f0c7
-
SHA1
be4d0e4ddce15e9770f50116b274fccde2109f00
-
SHA256
d744376643daec408188928d0d9c5e102ddfeba7d5e0c88c4e66cfbec5239f57
-
SHA512
46baf065eb6f1664e1e7e57c7e74497cc89cd77b71b2b406947252c4905a4755322ba77a1c97a5f1a528e69e781a77990dcf8251b22a72cba798be232126cddc
-
SSDEEP
3072:/cT9g8immW6Pozkk2eKs/CSr2nQ/E2S5ny+bF2u1I+ddDK7Hlq/B8BkgnYT:o68i3odBiTl2+TCU/Ak8O
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart" 475972b37cdb3b35a80136909069f0c7.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\winhash_up.exez 475972b37cdb3b35a80136909069f0c7.exe File opened for modification C:\Windows\winhash_up.exez 475972b37cdb3b35a80136909069f0c7.exe File created C:\Windows\SHARE_TEMP\Icon2.ico 475972b37cdb3b35a80136909069f0c7.exe File created C:\Windows\SHARE_TEMP\Icon5.ico 475972b37cdb3b35a80136909069f0c7.exe File created C:\Windows\SHARE_TEMP\Icon6.ico 475972b37cdb3b35a80136909069f0c7.exe File created C:\Windows\SHARE_TEMP\Icon7.ico 475972b37cdb3b35a80136909069f0c7.exe File created C:\Windows\winhash_up.exe 475972b37cdb3b35a80136909069f0c7.exe File created C:\Windows\SHARE_TEMP\Icon3.ico 475972b37cdb3b35a80136909069f0c7.exe File created C:\Windows\SHARE_TEMP\Icon10.ico 475972b37cdb3b35a80136909069f0c7.exe File created C:\Windows\SHARE_TEMP\Icon12.ico 475972b37cdb3b35a80136909069f0c7.exe File created C:\Windows\SHARE_TEMP\Icon14.ico 475972b37cdb3b35a80136909069f0c7.exe File created C:\Windows\bugMAKER.bat 475972b37cdb3b35a80136909069f0c7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2064 cmd.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2700 wrote to memory of 2064 2700 475972b37cdb3b35a80136909069f0c7.exe 88 PID 2700 wrote to memory of 2064 2700 475972b37cdb3b35a80136909069f0c7.exe 88 PID 2700 wrote to memory of 2064 2700 475972b37cdb3b35a80136909069f0c7.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\475972b37cdb3b35a80136909069f0c7.exe"C:\Users\Admin\AppData\Local\Temp\475972b37cdb3b35a80136909069f0c7.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\bugMAKER.bat2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:2064
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76B
MD5d967f3079692f5e04aa10f747c6605c1
SHA12ef2e72b7446242b91589bbe15f967a42dbfcc89
SHA25630eb09a3f8c49d3d8afabea5459182a8459bfcd2cd7779e762a5426fa06a36ff
SHA5127d78cf27ec86abb6a5f22d4a82fc70f45357607dfe8d943ae5856b88c98643617b909c5f5c273eb2121e5293c29be66183e4361e23584cf5334c9b439c2f0209