Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
160s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/02/2024, 08:50
Static task
static1
Behavioral task
behavioral1
Sample
ae210788bd768ba5045a507e693a8163.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ae210788bd768ba5045a507e693a8163.exe
Resource
win10v2004-20240226-en
General
-
Target
ae210788bd768ba5045a507e693a8163.exe
-
Size
78KB
-
MD5
ae210788bd768ba5045a507e693a8163
-
SHA1
9023d28eee827c8cf87bca3aa68df61c0426a5ca
-
SHA256
85a35530eabc89c14ff95fb1ab1848c9749c4714bde250d3e798e77f211a627a
-
SHA512
1296f39c090d2f56ec192dbcb54b3a86ba953dc614dae97a096c70eae3d89b0b7e5d3999f460a3ddf74783ed661325f2dd8834dba1a4a1f11794826b53334d1f
-
SSDEEP
1536:dPWV58FXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtC639/F1j5:dPWV58FSyRxvY3md+dWWZyP9/d
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation ae210788bd768ba5045a507e693a8163.exe -
Executes dropped EXE 1 IoCs
pid Process 4884 tmpA306.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmpA306.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3852 ae210788bd768ba5045a507e693a8163.exe Token: SeDebugPrivilege 4884 tmpA306.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3852 wrote to memory of 4028 3852 ae210788bd768ba5045a507e693a8163.exe 90 PID 3852 wrote to memory of 4028 3852 ae210788bd768ba5045a507e693a8163.exe 90 PID 3852 wrote to memory of 4028 3852 ae210788bd768ba5045a507e693a8163.exe 90 PID 4028 wrote to memory of 2612 4028 vbc.exe 92 PID 4028 wrote to memory of 2612 4028 vbc.exe 92 PID 4028 wrote to memory of 2612 4028 vbc.exe 92 PID 3852 wrote to memory of 4884 3852 ae210788bd768ba5045a507e693a8163.exe 93 PID 3852 wrote to memory of 4884 3852 ae210788bd768ba5045a507e693a8163.exe 93 PID 3852 wrote to memory of 4884 3852 ae210788bd768ba5045a507e693a8163.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae210788bd768ba5045a507e693a8163.exe"C:\Users\Admin\AppData\Local\Temp\ae210788bd768ba5045a507e693a8163.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\088m62-1.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA4FA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc493C8225AA4E4DBE80BAD3C0E68782A.TMP"3⤵PID:2612
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpA306.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA306.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ae210788bd768ba5045a507e693a8163.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4884
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD546ae0a8a031aa619acab8eb4a34f8f73
SHA12421498bafb9f7aacbbe3bf3439f81cf31ffb186
SHA2562ebbcccd49198001a6ddfb65de3c4e5448cbcc527bf130dc5da7284ca26f91ed
SHA5121ebf3a34f7bfa9e4d0754e96df0ba19a1bc8655e23a8d1fcf4e24fa943cbf1984f674f9295481b29fd164bf3c2743c65ca3d39d732e0dbf9c143d8a21f09fa90
-
Filesize
266B
MD5998abc949715c7107014a5f19278b404
SHA13cbdab786cfe0942b589378bb6bd67271304eb53
SHA25634daf7427e450f1c7a02226bd44bb2535c0288d8c9e528fbdf0ea980e1e057be
SHA512a8c98342a3aa728a73ea43f840a9e2b084d73a56d2ab68f9e4b41a77ef3942375672d037758f7da8f22f01d9d93e5c35ef1f5b52db6fa69a2f212c1c45c59396
-
Filesize
1KB
MD569d4fe038ca5b8a02a00e775e3b94636
SHA127a88e2ba68557f232b16a20c22a02b6d44cb6ee
SHA25697fa1530e492f0f6ee714a6612efe319d55d3dc473a3cd60bb59fd6080706194
SHA51293ac458f86cc92d60ae74b39fc0506e2e4af0c435919ea4cef24c685bd18e0ca62663976aa434aa9041def1d28567001c4cd985abc1c5cb98ddfc84b61e594b0
-
Filesize
78KB
MD585daeda14948d420b54cd05283eefab0
SHA1d6efc804740dec048515499f029d1feb7af88fd6
SHA25670ac562e8e4858fca9b6408a42db6a8fa0cdcb5b7ac4044074e92ec1e02742f6
SHA5125c6a1d9da2805bf3c5b4f844582a96b746978840d3f81f8a42409cd67a81710f81f85919df853220f1bee1d6dae14fc046b3696c375fe3e6f198bde084f89ffa
-
Filesize
660B
MD5085d4d4e68b3c2475a5fc3625158dda2
SHA14765665d4ac86dd27af221dbfd614c154f36b7ee
SHA256e47ab22137d201cb1fd06c72f4c6d97ab250f66ee9ed608233e8ed3a2ecf5e12
SHA512cc996acdb3fcdf64b664a2e626b9d3f67c905e4e01f4af194a0a6a000bac5569bb6a44a305ac138fcf643a17931a526a23268abf9846e2f5b0af176ad305a2f1
-
Filesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107