Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28/01/2024, 01:47
Behavioral task
behavioral1
Sample
7bd58e6323b1a7986355da73147202d4.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7bd58e6323b1a7986355da73147202d4.exe
Resource
win10v2004-20231215-en
General
-
Target
7bd58e6323b1a7986355da73147202d4.exe
-
Size
47KB
-
MD5
7bd58e6323b1a7986355da73147202d4
-
SHA1
1a7544dc9aa69b5a8a4214246b522d5a0dac9d2e
-
SHA256
e7ecf0f4b3d92addae48cf57675fefbf5c65264b7256513222a7029168f092ea
-
SHA512
0fbe76e47981e83556716f595d7192d4bc47c41b5098f8f56fb33a2c4f1420242db11cbf9e259452b1e73c8f22168f722d05dc044d78d65ab7e2a72705877112
-
SSDEEP
768:URGuY2P0Vo6r7SiAwyrMRjb4f9nbcuyD7U/zUYF8FE1j3kO:yPcVo6r7S/rabAnouy8/IYF8iiO
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation 7bd58e6323b1a7986355da73147202d4.exe -
resource yara_rule behavioral2/memory/3804-0-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/3804-5-0x0000000000400000-0x000000000041C000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs .reg file with regedit 1 IoCs
pid Process 4952 regedit.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3804 wrote to memory of 3960 3804 7bd58e6323b1a7986355da73147202d4.exe 88 PID 3804 wrote to memory of 3960 3804 7bd58e6323b1a7986355da73147202d4.exe 88 PID 3804 wrote to memory of 3960 3804 7bd58e6323b1a7986355da73147202d4.exe 88 PID 3960 wrote to memory of 2288 3960 cmd.exe 91 PID 3960 wrote to memory of 2288 3960 cmd.exe 91 PID 3960 wrote to memory of 2288 3960 cmd.exe 91 PID 3960 wrote to memory of 4952 3960 cmd.exe 92 PID 3960 wrote to memory of 4952 3960 cmd.exe 92 PID 3960 wrote to memory of 4952 3960 cmd.exe 92 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2288 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7bd58e6323b1a7986355da73147202d4.exe"C:\Users\Admin\AppData\Local\Temp\7bd58e6323b1a7986355da73147202d4.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8211.tmp\start.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\attrib.exeattrib -h -r version.txt3⤵
- Views/modifies file attributes
PID:2288
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s sql.reg3⤵
- Runs .reg file with regedit
PID:4952
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148B
MD50398fe7d763956a9a81a9489e5f64eb9
SHA1716d72e0fed6213aad3e0428949dc79538a51b55
SHA256e69bde63130e086838fdd3049e212578552c2b54198aae5d6c467a85f7bdac83
SHA5120ef5324d1f9d784235093c761a67c0c511c7b8de2019a76ac80281bfd4fca8869ffd5484c7626f7c87171849096ac5cb85deb83cf6ba52e3b2e1fe0c6216b395