Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/03/2024, 13:52
Static task
static1
Behavioral task
behavioral1
Sample
b249c3b71582873b624c95ca35749e4c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b249c3b71582873b624c95ca35749e4c.exe
Resource
win10v2004-20240226-en
General
-
Target
b249c3b71582873b624c95ca35749e4c.exe
-
Size
233KB
-
MD5
b249c3b71582873b624c95ca35749e4c
-
SHA1
c43865e9c426ca74337b9ed1ed6cd8aee7f4341b
-
SHA256
c47f904de040740820b09c3790e111189266a14875ac4422ae1002be5f4eab5d
-
SHA512
6367bb9a33172f4c6b691763308f094cac118f34047af8e4f08cf011b871048e8a1f28ba73f464b2eb9f2f6d9cf1805b81262e3e6a86c0c105661140013d486e
-
SSDEEP
3072:/cT9g8immW6Pozkk2eKs/CSr2nQ/E2S5ny+bF2u1I+ddDK7Hlq/B8QkgnYHfQlAY:o68i3odBiTl2+TCU/pk8KfQlE8
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart" b249c3b71582873b624c95ca35749e4c.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification C:\Windows\winhash_up.exez b249c3b71582873b624c95ca35749e4c.exe File created C:\Windows\SHARE_TEMP\Icon5.ico b249c3b71582873b624c95ca35749e4c.exe File created C:\Windows\SHARE_TEMP\Icon7.ico b249c3b71582873b624c95ca35749e4c.exe File created C:\Windows\SHARE_TEMP\Icon12.ico b249c3b71582873b624c95ca35749e4c.exe File created C:\Windows\winhash_up.exez b249c3b71582873b624c95ca35749e4c.exe File created C:\Windows\SHARE_TEMP\Icon2.ico b249c3b71582873b624c95ca35749e4c.exe File created C:\Windows\SHARE_TEMP\Icon3.ico b249c3b71582873b624c95ca35749e4c.exe File created C:\Windows\SHARE_TEMP\Icon6.ico b249c3b71582873b624c95ca35749e4c.exe File created C:\Windows\SHARE_TEMP\Icon10.ico b249c3b71582873b624c95ca35749e4c.exe File created C:\Windows\SHARE_TEMP\Icon14.ico b249c3b71582873b624c95ca35749e4c.exe File created C:\Windows\bugMAKER.bat b249c3b71582873b624c95ca35749e4c.exe File created C:\Windows\winhash_up.exe b249c3b71582873b624c95ca35749e4c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1908 cmd.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3384 wrote to memory of 1908 3384 b249c3b71582873b624c95ca35749e4c.exe 86 PID 3384 wrote to memory of 1908 3384 b249c3b71582873b624c95ca35749e4c.exe 86 PID 3384 wrote to memory of 1908 3384 b249c3b71582873b624c95ca35749e4c.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe"C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\bugMAKER.bat2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:1908
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76B
MD57e8909952d5e1817201f31584fc4cc06
SHA1833558bdebdee2b412d9e6941c89c2607fb2b574
SHA256a2e4a0f4067c5d5be575bb078cba5670744a84b06ddf7a6cf48ed5dd5f138a9b
SHA51210997ef6181227f51aaa2fbe25aab84ddeebf0ac113795149834c1b8297c2244fec9b60ef9ed5b4e993100652d1731070592c68e1366796bc810786571cb6e7a