Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/01/2024, 16:22
Static task
static1
Behavioral task
behavioral1
Sample
77d2dac8adc2170b5dbb6cb81da39484.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
77d2dac8adc2170b5dbb6cb81da39484.exe
Resource
win10v2004-20231215-en
General
-
Target
77d2dac8adc2170b5dbb6cb81da39484.exe
-
Size
624KB
-
MD5
77d2dac8adc2170b5dbb6cb81da39484
-
SHA1
4dcbcb676a3941fd5c712289d61f5d24c0a540b3
-
SHA256
17240c11b5d3a7e72a83e17700991de77a9e80c17245f12935ad7185ae035bff
-
SHA512
53e8f9c3dc53da6e8683df568a0c7290f56c0c1acd75bf82ad8ccc5aec3fda279846f4d786711b4e2941f41d71aad7adf48cee0e6a1efb3083ac122f57497bc2
-
SSDEEP
12288:aRF6tTn/4hkFS8l8UprDFxQtfQe1FgXAtfND9wPGNh5:xtT/4mgu5CtfPFgXifNDWPu
Malware Config
Signatures
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll" 21.exe -
resource yara_rule behavioral2/files/0x0006000000023214-5.dat aspack_v212_v242 behavioral2/files/0x0003000000022765-37.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation 77d2dac8adc2170b5dbb6cb81da39484.exe -
Executes dropped EXE 2 IoCs
pid Process 4528 21.exe 3260 QvodSetup5.exe -
Loads dropped DLL 1 IoCs
pid Process 3040 Svchost.exe -
resource yara_rule behavioral2/files/0x0006000000023214-5.dat upx behavioral2/memory/4528-11-0x0000000000450000-0x0000000000477000-memory.dmp upx behavioral2/files/0x0006000000023215-13.dat upx behavioral2/memory/4528-21-0x0000000000450000-0x0000000000477000-memory.dmp upx behavioral2/memory/3260-22-0x0000000000400000-0x00000000004E3000-memory.dmp upx behavioral2/memory/4528-17-0x0000000000450000-0x0000000000477000-memory.dmp upx behavioral2/files/0x0003000000022765-37.dat upx behavioral2/memory/3040-40-0x0000000074640000-0x0000000074667000-memory.dmp upx behavioral2/memory/3040-39-0x0000000074640000-0x0000000074667000-memory.dmp upx behavioral2/memory/3040-41-0x0000000074640000-0x0000000074667000-memory.dmp upx behavioral2/memory/3040-44-0x0000000074640000-0x0000000074667000-memory.dmp upx behavioral2/memory/4528-43-0x0000000000450000-0x0000000000477000-memory.dmp upx behavioral2/memory/3260-46-0x0000000000400000-0x00000000004E3000-memory.dmp upx behavioral2/memory/3260-47-0x0000000000400000-0x00000000004E3000-memory.dmp upx behavioral2/memory/3260-48-0x0000000000400000-0x00000000004E3000-memory.dmp upx behavioral2/memory/3260-49-0x0000000000400000-0x00000000004E3000-memory.dmp upx behavioral2/memory/3260-51-0x0000000000400000-0x00000000004E3000-memory.dmp upx behavioral2/memory/3260-52-0x0000000000400000-0x00000000004E3000-memory.dmp upx behavioral2/memory/3260-55-0x0000000000400000-0x00000000004E3000-memory.dmp upx behavioral2/memory/3260-56-0x0000000000400000-0x00000000004E3000-memory.dmp upx behavioral2/memory/3260-59-0x0000000000400000-0x00000000004E3000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\0A200D38.tmp 21.exe File opened for modification C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll 21.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1416 77d2dac8adc2170b5dbb6cb81da39484.exe 1416 77d2dac8adc2170b5dbb6cb81da39484.exe 4528 21.exe 4528 21.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3260 QvodSetup5.exe 3260 QvodSetup5.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 3260 QvodSetup5.exe 3260 QvodSetup5.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1416 wrote to memory of 4528 1416 77d2dac8adc2170b5dbb6cb81da39484.exe 88 PID 1416 wrote to memory of 4528 1416 77d2dac8adc2170b5dbb6cb81da39484.exe 88 PID 1416 wrote to memory of 4528 1416 77d2dac8adc2170b5dbb6cb81da39484.exe 88 PID 1416 wrote to memory of 3260 1416 77d2dac8adc2170b5dbb6cb81da39484.exe 89 PID 1416 wrote to memory of 3260 1416 77d2dac8adc2170b5dbb6cb81da39484.exe 89 PID 1416 wrote to memory of 3260 1416 77d2dac8adc2170b5dbb6cb81da39484.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\77d2dac8adc2170b5dbb6cb81da39484.exe"C:\Users\Admin\AppData\Local\Temp\77d2dac8adc2170b5dbb6cb81da39484.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\Temp\21.exe"C:\Users\Admin\AppData\Local\Temp\Temp\21.exe"2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4528
-
-
C:\Users\Admin\AppData\Local\Temp\Temp\QvodSetup5.exe"C:\Users\Admin\AppData\Local\Temp\Temp\QvodSetup5.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3260
-
-
C:\Windows\SysWOW64\Svchost.exeC:\Windows\SysWOW64\Svchost.exe -k netsvcs -s FastUserSwitchingCompatibility1⤵
- Loads dropped DLL
PID:3040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84KB
MD5253f2fde80632a83581804a7b738657f
SHA1412a963725ba924c310b5775698b372c6f0cfaaf
SHA256310b8d3c80bc61371837c57c00a74cd263263f0f519faa713154e0da454dd88d
SHA51262750357b04c25dda8a9a6d99ee885d6316691ad67e108093b524edc98b612a207ce9be92136c08a550073171590d97f646be868a10f42f744a56e4e0fff3327
-
Filesize
520KB
MD593e466074cb7d1833dd8f8f37dd85aed
SHA1c573a442d165bac4bfd5b15d4e1e88060c916fb5
SHA256b2da1f5a555d7e7f6d787e729628e95c858cc6112a5073680062f3b066352e28
SHA512d3b1a121658cefa0ab19e9bc13e430b877f697622c1c3ac392b5040bc7687a292e0097ec4d8c32cef4834bdd452cd8f9997ede9cbd1cd252dc24af92898e592b
-
Filesize
724B
MD5699044976dea8a8de770f7606bfe21be
SHA191cc3bd4af4435262928633c890bb61d4d9a379e
SHA25625558d41cab8fa52e67d14aae1b0ed21723a5fce5b5b609993420da729c13a87
SHA5129408f828d7d95aff5783fe35b8fc4fb8ef127d76ce4377f5aeb5329daa92babc5cf180c9c57e834dff2d33c35e3bc87808e17cb6a18be7ec28894cd1537a2c24
-
Filesize
84KB
MD5e5e4662d1ffb37f096d5d1200f989023
SHA1da32d3a6867e42c3e03f5b20c4479d1b96920a88
SHA2564c6f69d3188dddae6726596b4769344f57a024529311eb7d27898203a7aa9cdd
SHA512d9889e26843d787615515148f7b85877c5b33cd8b65bd16ba6ce953aa9aaa540201e37e08e16d1176a09d75a33bdc169f0d2610b45f9120394823be4a7664472