Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/01/2024, 12:35

General

  • Target

    509274c5c973b5c330be82845b57663f.exe

  • Size

    63KB

  • MD5

    509274c5c973b5c330be82845b57663f

  • SHA1

    79cff899d88ff8307eeafbda87098f833f42fb8f

  • SHA256

    4b02e5922ab65a6bf04702ebf73b4c019227596c06eac51acc0847f8b01e54f6

  • SHA512

    22c5fd3d88b9016e5b041ffff25db5f015c4b98043c25a59350506afc92c86500e2efb0b7e2d5d3ed09b011b3f436a48acbb27f8167f7d1113f125ccd762b613

  • SSDEEP

    1536:VdryyfYwLQhueIbzRFIj9JdHQWplS7N1DKmxAMNd1D2IobgMW:TrD9LiFOzrIj9DHGh45MNd1KgM

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\509274c5c973b5c330be82845b57663f.exe
    "C:\Users\Admin\AppData\Local\Temp\509274c5c973b5c330be82845b57663f.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:5104
    • C:\Windows\SysWOW64\jh.exe
      "C:\Windows\System32\jh.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4020
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c date 1983-10-19
        3⤵
          PID:388
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c taskkill /im 360tray.exe /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4840
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /im 360tray.exe /f
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1344
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c taskkill /im 360safe.exe /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3592
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /im 360safe.exe /f
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:5008

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\jh.exe

      Filesize

      9KB

      MD5

      23528fd2acbd57565ac391e769f11d0a

      SHA1

      3b1479c58db12f3cb60504909e55e6a960851a55

      SHA256

      f28c39eb7ee9be1c9cc5d84d7372ce601424462cebfd3359a2010152fa11abfe

      SHA512

      314ab22347402214b85f87c5fb918ac9b971e3e93fabfcb5aaf0fb8349309bf819145c18af03784d1264a26c9c84142d54cc2cafb7a1ea6c16d1f0a2456cc0b7

    • memory/4020-9-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

    • memory/4020-11-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

    • memory/5104-0-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/5104-12-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB