Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/03/2024, 07:48
Static task
static1
Behavioral task
behavioral1
Sample
Keygen.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Keygen.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Mocha.Telnet.v3.2.XScale.Smartphone200x.Incl.Keygen-SyMPDA/Keygen.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Mocha.Telnet.v3.2.XScale.Smartphone200x.Incl.Keygen-SyMPDA/Keygen.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Mocha.Telnet.v3.2.XScale.Smartphone200x.Incl.Keygen-SyMPDA/sym-wmsmtelnetsp.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Mocha.Telnet.v3.2.XScale.Smartphone200x.Incl.Keygen-SyMPDA/sym-wmsmtelnetsp.exe
Resource
win10v2004-20240226-en
General
-
Target
Mocha.Telnet.v3.2.XScale.Smartphone200x.Incl.Keygen-SyMPDA/Keygen.exe
-
Size
473KB
-
MD5
18941095bbf897e1880bdd77f1f50c2b
-
SHA1
d44eb8f9d83828372106e88858fcf67becb81ab0
-
SHA256
73b232df35f94e6b31052a33e2a14fc57e353928fadd30b1292b6823c8595ed5
-
SHA512
d93e76d777dae2845750fd297f14336c20caecbbb7366f06e5fa5a06292e7a75d8e9893b8a448b28435c166cafb7ebdc6ca4cdb7020279029e24c85d6a0cddda
-
SSDEEP
6144:hJaiaZTY1DAA5Nw6dWW+18gVVZKtHdvYG5F8D4qpAH2sxJag/gwHgNU:JaZTYGA5Nw6odVyRYK2D4rV5HgU
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Keygen.exe -
Executes dropped EXE 3 IoCs
pid Process 1408 setup_m.exe 4272 setup.exe 2084 winlogon.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\winlogon.exe" winlogon.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini setup.exe File opened for modification C:\Windows\assembly\Desktop.ini setup.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\fmod.dll setup.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini setup.exe File opened for modification C:\Windows\assembly\Desktop.ini setup.exe File created C:\Windows\winlogon.exe setup_m.exe File opened for modification C:\Windows\assembly setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2084 winlogon.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 348 wrote to memory of 1408 348 Keygen.exe 88 PID 348 wrote to memory of 1408 348 Keygen.exe 88 PID 348 wrote to memory of 1408 348 Keygen.exe 88 PID 348 wrote to memory of 4272 348 Keygen.exe 89 PID 348 wrote to memory of 4272 348 Keygen.exe 89 PID 1408 wrote to memory of 2084 1408 setup_m.exe 91 PID 1408 wrote to memory of 2084 1408 setup_m.exe 91 PID 1408 wrote to memory of 2084 1408 setup_m.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\Mocha.Telnet.v3.2.XScale.Smartphone200x.Incl.Keygen-SyMPDA\Keygen.exe"C:\Users\Admin\AppData\Local\Temp\Mocha.Telnet.v3.2.XScale.Smartphone200x.Incl.Keygen-SyMPDA\Keygen.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Users\Admin\AppData\Local\Temp\setup_m.exe"C:\Users\Admin\AppData\Local\Temp\setup_m.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\winlogon.exeC:\Windows\winlogon.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2084
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Windows directory
PID:4272
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
268KB
MD5de766c83c2ad4769622bc890201d3006
SHA11ed22427a79cd039e53a28f8d2c7499c1ef413f7
SHA256039c40cad38397190a15e5817e73725586926893423f0c5a35056498371e60e3
SHA5124041184371a9c1bb5d5af93b68ddea1aa94edc61aeb6010539ae02f1420c8b0d651f5139b9fb6927efaef837a041c4792556ce4f85ceae452c964bb5fe7bfacd
-
Filesize
200KB
MD5292a5adf25ddf66b98616243fdd11ed7
SHA1b8de129bbed53d5de11c84a63f4d5b9602846a15
SHA25645ae78216e5c0339848bc101dc18ad41f23e6cb673bdf0f26f4558342343901c
SHA51267983db229d54958362f1d320f08d375911da5d68f1961c55613294f36295f20a2ec523b3d189c88bef198970a79f98fae76b26de37ad26c1190e702f4b97171