Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/02/2024, 10:47

General

  • Target

    8c22cc6c36035347dce52fffc09d61d1.exe

  • Size

    32KB

  • MD5

    8c22cc6c36035347dce52fffc09d61d1

  • SHA1

    e84b5ef880593ae5dac4a3aab76ba66a97645356

  • SHA256

    edc343fe667f1a6beaa0bf8a7164304db1336ecdcace8186c045ff8370758f66

  • SHA512

    2c5499ad5ebe14910604dd3dc404c516b4d1c8113c721458950c189732c82a92dbd6d279d49ef03176e64ee12a6432bbd2a90fc3e0563602998e7c60e8861809

  • SSDEEP

    768:zOSTlzjFQ1i4l/8AxwzaGghufw/I2zMAV5ExonbcuyD7U:yOQj8Axwzanhuo/xBV0onouy8

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 42 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c22cc6c36035347dce52fffc09d61d1.exe
    "C:\Users\Admin\AppData\Local\Temp\8c22cc6c36035347dce52fffc09d61d1.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1144
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\system32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\uPQCxThuOz.js" "C:\Users\Admin\AppData\Local\Temp\8c22cc6c36035347dce52fffc09d61d1.exe"
      2⤵
        PID:4076
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:4452
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:728
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:728 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:960

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0A013ETK\favicon[1].htm

        Filesize

        291B

        MD5

        b73189024a094989653a1002fb6a790b

        SHA1

        0c44f096cd1fec253c1fe2fcfcd3c58fe05c402d

        SHA256

        014c471c07b2bc1b90cf5b46eb8eb60abe3ac278e43cd8fcc7c4e6c8950c592d

        SHA512

        1bca726835d33847812060c968e5306535f513429de5c90d66942155fd42ff75508dba97da8ca36c6d6e6a8df5a2602fe3be047bb5612ad4e367c6c00e1e50a3

      • C:\Users\Admin\AppData\Local\Temp\uPQCxThuOz.js

        Filesize

        10KB

        MD5

        2b1dcb98e33a48a9e2a827b3be6f49ec

        SHA1

        6ae76f3c0d2afd8f7f7353eef06d9c45a22352b4

        SHA256

        1d01ee8c0f6bcb07e18ca1009fd1e3ec2b9ccf1bcfb1354e06223564e0ea0ca3

        SHA512

        c20d6c1e5a6be745f07cc176628b7e8018a9681cba31b05c15f2c8f07efb0032e3e960621cc495fb08ca12e44fcef7ce26774409698234746543187510e2b077

      • memory/1144-0-0x0000000000010000-0x0000000000032000-memory.dmp

        Filesize

        136KB

      • memory/1144-3-0x0000000000010000-0x0000000000032000-memory.dmp

        Filesize

        136KB