Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/03/2024, 14:06
Static task
static1
Behavioral task
behavioral1
Sample
b2513ad2f69e95139b51cd2da8c09064.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b2513ad2f69e95139b51cd2da8c09064.exe
Resource
win10v2004-20240226-en
General
-
Target
b2513ad2f69e95139b51cd2da8c09064.exe
-
Size
1.0MB
-
MD5
b2513ad2f69e95139b51cd2da8c09064
-
SHA1
9be7c6c865f270fc3ddae090a7e3d3eccecd2026
-
SHA256
8f72d46efcdeb6a82eade69cde0492916191d3802a38872c57be9d59009101a7
-
SHA512
890684a6d127db8535ab8f2b342fae7f715b5d0ebf0a54447dbe2dc6f58fc9fa77e251ee6c2e686833d3f4b113ca570aabdfb3ac3a397cae9916289b0efec93e
-
SSDEEP
24576:NamTlvvYXDZdzIKY0zD87wK0YICHPhBPchUwOoUaw:N5lH0VNIT7yIHpBsDs1
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation b2513ad2f69e95139b51cd2da8c09064.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation usnscv.exe -
Executes dropped EXE 1 IoCs
pid Process 2384 usnscv.exe -
Loads dropped DLL 2 IoCs
pid Process 2384 usnscv.exe 2384 usnscv.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctfmon = "\"C:\\Users\\Admin\\AppData\\Local\\usnscv.exe\"" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1528 2384 WerFault.exe 97 -
Modifies registry key 1 TTPs 1 IoCs
pid Process 1272 reg.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2384 usnscv.exe 2384 usnscv.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2384 usnscv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1912 wrote to memory of 2384 1912 b2513ad2f69e95139b51cd2da8c09064.exe 97 PID 1912 wrote to memory of 2384 1912 b2513ad2f69e95139b51cd2da8c09064.exe 97 PID 1912 wrote to memory of 2384 1912 b2513ad2f69e95139b51cd2da8c09064.exe 97 PID 2384 wrote to memory of 4192 2384 usnscv.exe 98 PID 2384 wrote to memory of 4192 2384 usnscv.exe 98 PID 2384 wrote to memory of 4192 2384 usnscv.exe 98 PID 4192 wrote to memory of 3052 4192 cmd.exe 100 PID 4192 wrote to memory of 3052 4192 cmd.exe 100 PID 4192 wrote to memory of 3052 4192 cmd.exe 100 PID 3052 wrote to memory of 1272 3052 cmd.exe 101 PID 3052 wrote to memory of 1272 3052 cmd.exe 101 PID 3052 wrote to memory of 1272 3052 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2513ad2f69e95139b51cd2da8c09064.exe"C:\Users\Admin\AppData\Local\Temp\b2513ad2f69e95139b51cd2da8c09064.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Users\Admin\AppData\Local\usnscv.exe"C:\Users\Admin\AppData\Local\usnscv.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\winupdate.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ctfmon /D "\"C:\Users\Admin\AppData\Local\usnscv.exe\"" /f4⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ctfmon /D "\"C:\Users\Admin\AppData\Local\usnscv.exe\"" /f5⤵
- Adds Run key to start application
- Modifies registry key
PID:1272
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 7443⤵
- Program crash
PID:1528
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2384 -ip 23841⤵PID:3264
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4384 --field-trial-handle=2972,i,4036376905309803364,5412922217215781933,262144 --variations-seed-version /prefetch:81⤵PID:1288
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148B
MD56f893fa27049e87617787e4964ad5ecb
SHA12efa3418e797e4d5ced66044eff405cb2f93060c
SHA256a9912cc06ab8465ecbf27c5b6887ba94421e213d1fff1467ee1d8f20a72f0b60
SHA51208188fd11947612212701c3fffc253bb69530091115cf6c59650ed70851a8b56b5508cf458df9e742956144be1b3738560a33871a4be782798a63f04b7dae57f
-
Filesize
71KB
MD5ba190ef2c7ede61ef4459947f92689a7
SHA10972e154a52f86a8126b1f79575b888ab63e5b13
SHA256d06c7c0f8810a75e92b2654a2f2b54d35b1a1cf8c92ea0ef1320630f1b736424
SHA512e68efb700614476abfcd0e503f1a142ee8b8ba761bb1467f7c58e21fb38a1e00d4bb0005eb85f93d0845b9d3f2344e0d32c1c5cebfa79610649213162f646626
-
Filesize
559KB
MD5027905218f9a0db3f92e33de4eb30b31
SHA1da5e3fb607c31cf125ec9dd61b5504c845d5ca7a
SHA25694b41ed321c207eeea31a86f606fcd26b26bb26a88bd81b761cdf27b0b90deea
SHA51246f55d671a4d468b6ee61a5c4bf8465ca941342f95fed0f60636a535d259e83ee2d98a4fb673f9b95cf6ddb8bd61bbe9b72cf55c6f6e18201a39181b82b2743d