Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
25/02/2024, 06:44
Static task
static1
Behavioral task
behavioral1
Sample
a3235608a45546b89e2e06e257ed47fc.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a3235608a45546b89e2e06e257ed47fc.exe
Resource
win10v2004-20240221-en
General
-
Target
a3235608a45546b89e2e06e257ed47fc.exe
-
Size
964KB
-
MD5
a3235608a45546b89e2e06e257ed47fc
-
SHA1
69409415761dc6a3d215359c1c0bb7570532408c
-
SHA256
669f00742f8622c69eeba62416b157d7fe894df352c1eff56c35d957ceab5148
-
SHA512
ee44bf591ee65b6737749b6409de6210d61b5ee3cc637517e3b32a8e3458c7a39778905da8950368f1fa0eb9c0d729cb506332e2a16b722234292d895cdf42b2
-
SSDEEP
12288:Q2PXPk618mS7lRFtFpzpmGFYZJ+qNo+kbNMVYuybGGGoYYW:rPRSRj/pmGFcYH+kJ/uyK
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation a3235608a45546b89e2e06e257ed47fc.exe -
Executes dropped EXE 1 IoCs
pid Process 368 svchost.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\gEZxEz\\LPdyBK\\1.4.9.1690\\svchost.exe" svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 368 set thread context of 3876 368 svchost.exe 92 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1632 wrote to memory of 368 1632 a3235608a45546b89e2e06e257ed47fc.exe 91 PID 1632 wrote to memory of 368 1632 a3235608a45546b89e2e06e257ed47fc.exe 91 PID 1632 wrote to memory of 368 1632 a3235608a45546b89e2e06e257ed47fc.exe 91 PID 368 wrote to memory of 3876 368 svchost.exe 92 PID 368 wrote to memory of 3876 368 svchost.exe 92 PID 368 wrote to memory of 3876 368 svchost.exe 92 PID 368 wrote to memory of 3876 368 svchost.exe 92 PID 368 wrote to memory of 3876 368 svchost.exe 92 PID 368 wrote to memory of 3876 368 svchost.exe 92 PID 368 wrote to memory of 3876 368 svchost.exe 92 PID 368 wrote to memory of 3876 368 svchost.exe 92 PID 368 wrote to memory of 3876 368 svchost.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3235608a45546b89e2e06e257ed47fc.exe"C:\Users\Admin\AppData\Local\Temp\a3235608a45546b89e2e06e257ed47fc.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\ProgramData\gEZxEz\LPdyBK\1.4.9.1690\svchost.exe"C:\ProgramData\gEZxEz\LPdyBK\1.4.9.1690\svchost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵PID:3876
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
475KB
MD588661f02728c9503f5330ab4f01e00e9
SHA1ec5021df35c5a87ff73f5076759da155d7ee39aa
SHA256fa6b4516578bae05ea41ad7191dfa28fbc2d6274c4e61909619e081946e4af9d
SHA512f90a0a27efc6c4af4aad45891c86171c3b865f3a16d97a20e9230b5274de2252695bf947fd86f725e032b5d1c3242328471d4c13ea3e1b749076b8e2874ac5c5