Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
02/02/2024, 15:31
Static task
static1
Behavioral task
behavioral1
Sample
89e10dab0f6e6787265ae69efe2eea33.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
89e10dab0f6e6787265ae69efe2eea33.exe
Resource
win10v2004-20231215-en
General
-
Target
89e10dab0f6e6787265ae69efe2eea33.exe
-
Size
860KB
-
MD5
89e10dab0f6e6787265ae69efe2eea33
-
SHA1
b83bd1340099a6b66b5b2b2551b836982b4615a7
-
SHA256
13c92f9848f3f43f42a7e9882144b8229d17dee27fb52b05bba9f8c8e417a529
-
SHA512
3dbbaebba88d6e4f91de1958c10b1d04e48f5b5576ad90f5fe9c971d223b6e77fcec367530b7ca3b41aa23fe3245c385f9c6ca9392d9632d7a4a40c13af32bf7
-
SSDEEP
12288:1ynJ/2UZ6w9gaTHcJjdWP7av5YVP6JPrDbJm8drYE1ovmt7KPrUyN:1msUZ5gaorWPGauzDbJmARoNUi
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 89e10dab0f6e6787265ae69efe2eea33.exe -
Executes dropped EXE 3 IoCs
pid Process 4408 ±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe 2980 dat.exe 4956 vx_6.exe -
resource yara_rule behavioral2/files/0x000700000002312e-27.dat upx behavioral2/memory/4956-28-0x0000000000400000-0x000000000055A000-memory.dmp upx behavioral2/memory/4956-30-0x0000000000400000-0x000000000055A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4004 4956 WerFault.exe 85 -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3448 wrote to memory of 4408 3448 89e10dab0f6e6787265ae69efe2eea33.exe 83 PID 3448 wrote to memory of 4408 3448 89e10dab0f6e6787265ae69efe2eea33.exe 83 PID 3448 wrote to memory of 4408 3448 89e10dab0f6e6787265ae69efe2eea33.exe 83 PID 3448 wrote to memory of 2980 3448 89e10dab0f6e6787265ae69efe2eea33.exe 84 PID 3448 wrote to memory of 2980 3448 89e10dab0f6e6787265ae69efe2eea33.exe 84 PID 3448 wrote to memory of 2980 3448 89e10dab0f6e6787265ae69efe2eea33.exe 84 PID 4408 wrote to memory of 4956 4408 ±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe 85 PID 4408 wrote to memory of 4956 4408 ±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe 85 PID 4408 wrote to memory of 4956 4408 ±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\89e10dab0f6e6787265ae69efe2eea33.exe"C:\Users\Admin\AppData\Local\Temp\89e10dab0f6e6787265ae69efe2eea33.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Users\Admin\AppData\Local\Temp\±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe"C:\Users\Admin\AppData\Local\Temp\±©·çÓ°Òô2012¸ßÇå°æV3.10.01.15¹Ù·½°æ²¹¶¡.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vx_6.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vx_6.exe3⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 5484⤵
- Program crash
PID:4004
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dat.exe"C:\Users\Admin\AppData\Local\Temp\dat.exe"2⤵
- Executes dropped EXE
PID:2980
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4956 -ip 49561⤵PID:1004
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
456KB
MD57e178a5140bef6ab279fc248fcecf2e1
SHA1ef1379d1d6a8bb10bfdba97e52468982ab820d9f
SHA25652edf0107d04ce02afad02b5b79278f47acca980ce4212a1380090688c438091
SHA5125be068e01483ddab80a29aa2c7c8f7e59c19a1cd6947ef25da9af39a18f93417c0ff035b800b84c049993c26be6153e6db3a7a324a76ed1811d7b6c5e63a861c
-
Filesize
129KB
MD5818c105a1f47d3684c567b795ab28ce1
SHA1682deb84809209982daa1ae46d6e461bab6fe6ed
SHA2568a994deda87e60751ade51c99ad4d34dd2abf774cd9b169cfbddb8b5c8681333
SHA5125a17e32e9ec6f2531ce260a14994fa4f909c9133a445f312d7308dc9f351725abbeb45b27d47c3c1b56b97b89db2fd8ba309fdc194c54d83b852a02092b60e63
-
Filesize
601KB
MD5e32032ba8cf97310410cc283df875e18
SHA1a879010e5d795886dfd6e2252a66ec4ecf12321e
SHA256ef00fb802e86aee48f68fce5e910ba10ebd05648ee9a639ed38ce16ebe3ac923
SHA512c175b6bce65ad3a0dd36a2ec66c998fd844adaa5beb195c5ed9a04f63329ab011c62534164e6a9b7fff9f2c61a656a84db04db02ece56e8ac28d54b186fdc22c