Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2024, 11:34
Static task
static1
Behavioral task
behavioral1
Sample
6544eb01ffa6fdac7678a21893d5b672.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
6544eb01ffa6fdac7678a21893d5b672.exe
Resource
win10v2004-20231215-en
General
-
Target
6544eb01ffa6fdac7678a21893d5b672.exe
-
Size
1.9MB
-
MD5
6544eb01ffa6fdac7678a21893d5b672
-
SHA1
b1557bff478b9961c390c0c38abf54b8236fb237
-
SHA256
80db8be3a65030d614e9b01c1bab3e568bfdef5c367e51b0292a7d57338cbf4c
-
SHA512
3bc8db13c30787dc55ae7625c5406ff464eb3c6b637ca120b49e6d21eca2cfd832f7fd62932edd4676e77ea18f74e4e9065172c915d74e06c50c142689af3c84
-
SSDEEP
49152:/YdNpL8fTRc/qadSqx5OiXLDZaYZYKm8981BqeFRX:KLD/qadSqx3LNRbmgyTX
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 6544eb01ffa6fdac7678a21893d5b672.exe -
Executes dropped EXE 2 IoCs
pid Process 4512 ALUpProduct.exe 920 eausvc.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\ESTsoft\ALUpdate\eausvc.exe 6544eb01ffa6fdac7678a21893d5b672.exe File created C:\Program Files\ESTsoft\ALUpdate\ALUpProduct.exe 6544eb01ffa6fdac7678a21893d5b672.exe File opened for modification C:\Program Files\ESTsoft\ALUpdate\ALUpProduct.exe 6544eb01ffa6fdac7678a21893d5b672.exe File created C:\Program Files\ESTsoft\ALUpdate\eausvc.exe 6544eb01ffa6fdac7678a21893d5b672.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4424 wrote to memory of 4512 4424 6544eb01ffa6fdac7678a21893d5b672.exe 91 PID 4424 wrote to memory of 4512 4424 6544eb01ffa6fdac7678a21893d5b672.exe 91 PID 4512 wrote to memory of 920 4512 ALUpProduct.exe 93 PID 4512 wrote to memory of 920 4512 ALUpProduct.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\6544eb01ffa6fdac7678a21893d5b672.exe"C:\Users\Admin\AppData\Local\Temp\6544eb01ffa6fdac7678a21893d5b672.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Program Files\ESTsoft\ALUpdate\ALUpProduct.exe"C:\Program Files\ESTsoft\ALUpdate\ALUpProduct.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Program Files\ESTsoft\ALUpdate\eausvc.exeeausvc.exe3⤵
- Executes dropped EXE
PID:920
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5f19fdc7371eedbfe64a7c4609bb3b522
SHA1b91b88d109c6e0ddd976094de7bbf5dcf030892e
SHA256695d4bf95c830fd5b385a663ae4390f37d2df923eddff8e754c4a2f96817812f
SHA512c84943ac2504310d9ea5d2d35c89e2cb1b27fc1d77d8e8d625ca09423d692c6644d80c743fe706592d9bff8371154139cf59517da80eb7a8ee92cc406c58887f
-
Filesize
3.0MB
MD53671a0f937e4655ea864f1b533279837
SHA12e314a0b0bce66bfa29f2a24022b406e419e2226
SHA25651b6b98ba33a6033e1d8d52602a6fe430cea04bba0168cd20e262aa39359157f
SHA51299cdf34eb214005c23e30dc5efac920de5e9b558d6649d246e6f9f4e18ddb39268cafb0a1e0f8c830fb4e17f8397ee77cc1a5282436d6d1f01ba48b368bc8a82