Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
18/02/2024, 04:41
Static task
static1
Behavioral task
behavioral1
Sample
ea80838f3016998e4fc2532c736d5ca8.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ea80838f3016998e4fc2532c736d5ca8.exe
Resource
win10v2004-20231215-en
General
-
Target
ea80838f3016998e4fc2532c736d5ca8.exe
-
Size
34KB
-
MD5
ea80838f3016998e4fc2532c736d5ca8
-
SHA1
2f49a1059f746b74001a272fd67c2fa1e7db9edc
-
SHA256
393349478b4a904e4e4394891f7b3dc25c404a28c7d1381822e39b9ee683aa45
-
SHA512
8a014d128a07f1bd9b3e13daa5a4ea1e167fe4db856c89f7284249290be9f2915c47c065ecf9ffed4b085b11087785cf0ed546ea57a2f7c3f0125af811ef91ea
-
SSDEEP
384:bA74uGLLQRcsdeQ72ngEr4K7YmE8j60nrlwfjDUgIunIVpeNs23mAA6ls:bA74zYcgT/Ekd0ryfjPIunqpeNswmb
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation ea80838f3016998e4fc2532c736d5ca8.exe -
Executes dropped EXE 1 IoCs
pid Process 3900 hasfj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2872 wrote to memory of 3900 2872 ea80838f3016998e4fc2532c736d5ca8.exe 85 PID 2872 wrote to memory of 3900 2872 ea80838f3016998e4fc2532c736d5ca8.exe 85 PID 2872 wrote to memory of 3900 2872 ea80838f3016998e4fc2532c736d5ca8.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea80838f3016998e4fc2532c736d5ca8.exe"C:\Users\Admin\AppData\Local\Temp\ea80838f3016998e4fc2532c736d5ca8.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\hasfj.exe"C:\Users\Admin\AppData\Local\Temp\hasfj.exe"2⤵
- Executes dropped EXE
PID:3900
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD58197827be9bfeadc7e5d9a939b8cb275
SHA12f7eeeb3421d70b07dc1e1d47a0ca595f8906ac9
SHA256ed62f14ac3b074edd5a12bc3d6759985160eb5034e3a2d3e411d2a11ebb95ccf
SHA512167422c85c21f26549cb2a0269f7ea1596a59b0e052568e1a469cb2e085f3408d8f5f0fa223986ea98318f3fee1a006d29bce52ff6a2a4915471c0885f3f9bf6