Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    134s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/01/2024, 11:34

General

  • Target

    6544eb01ffa6fdac7678a21893d5b672.exe

  • Size

    1.9MB

  • MD5

    6544eb01ffa6fdac7678a21893d5b672

  • SHA1

    b1557bff478b9961c390c0c38abf54b8236fb237

  • SHA256

    80db8be3a65030d614e9b01c1bab3e568bfdef5c367e51b0292a7d57338cbf4c

  • SHA512

    3bc8db13c30787dc55ae7625c5406ff464eb3c6b637ca120b49e6d21eca2cfd832f7fd62932edd4676e77ea18f74e4e9065172c915d74e06c50c142689af3c84

  • SSDEEP

    49152:/YdNpL8fTRc/qadSqx5OiXLDZaYZYKm8981BqeFRX:KLD/qadSqx3LNRbmgyTX

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6544eb01ffa6fdac7678a21893d5b672.exe
    "C:\Users\Admin\AppData\Local\Temp\6544eb01ffa6fdac7678a21893d5b672.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4424
    • C:\Program Files\ESTsoft\ALUpdate\ALUpProduct.exe
      "C:\Program Files\ESTsoft\ALUpdate\ALUpProduct.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4512
      • C:\Program Files\ESTsoft\ALUpdate\eausvc.exe
        eausvc.exe
        3⤵
        • Executes dropped EXE
        PID:920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\ESTsoft\ALUpdate\ALUpProduct.exe

    Filesize

    1.9MB

    MD5

    f19fdc7371eedbfe64a7c4609bb3b522

    SHA1

    b91b88d109c6e0ddd976094de7bbf5dcf030892e

    SHA256

    695d4bf95c830fd5b385a663ae4390f37d2df923eddff8e754c4a2f96817812f

    SHA512

    c84943ac2504310d9ea5d2d35c89e2cb1b27fc1d77d8e8d625ca09423d692c6644d80c743fe706592d9bff8371154139cf59517da80eb7a8ee92cc406c58887f

  • C:\Program Files\ESTsoft\ALUpdate\eausvc.exe

    Filesize

    3.0MB

    MD5

    3671a0f937e4655ea864f1b533279837

    SHA1

    2e314a0b0bce66bfa29f2a24022b406e419e2226

    SHA256

    51b6b98ba33a6033e1d8d52602a6fe430cea04bba0168cd20e262aa39359157f

    SHA512

    99cdf34eb214005c23e30dc5efac920de5e9b558d6649d246e6f9f4e18ddb39268cafb0a1e0f8c830fb4e17f8397ee77cc1a5282436d6d1f01ba48b368bc8a82

  • memory/920-22-0x00007FF67A230000-0x00007FF67A3A7000-memory.dmp

    Filesize

    1.5MB

  • memory/4424-0-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

  • memory/4512-17-0x0000000000400000-0x0000000000512000-memory.dmp

    Filesize

    1.1MB