Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/03/2024, 19:43
Behavioral task
behavioral1
Sample
1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8.exe
Resource
win7-20240221-en
General
-
Target
1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8.exe
-
Size
247KB
-
MD5
6bc8b8ea22ded629343c7cd37d165b69
-
SHA1
ac644dbe00940622e829eea2c7ff98ddde7f2979
-
SHA256
1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8
-
SHA512
9335907ea8c7b3190adb4368238eb47b05eb279f7dc0195de681d3b33b2758377b7ef657de0d094e75606a49e97129780f6a108c68e586a4b1882c008268cc5b
-
SSDEEP
3072:YYB4Qlayj4kOLH7yUzOu376z6zODggW9VzzOninjdJpHk:5yQlayj4vLmar6zFVWjzzPRJpHk
Malware Config
Extracted
urelas
121.88.5.184
Signatures
-
UPX dump on OEP (original entry point) 6 IoCs
resource yara_rule behavioral2/memory/1784-0-0x0000000000400000-0x0000000000445000-memory.dmp UPX behavioral2/files/0x0007000000023212-6.dat UPX behavioral2/memory/4776-12-0x0000000000400000-0x0000000000445000-memory.dmp UPX behavioral2/memory/1784-14-0x0000000000400000-0x0000000000445000-memory.dmp UPX behavioral2/memory/4776-17-0x0000000000400000-0x0000000000445000-memory.dmp UPX behavioral2/memory/4776-18-0x0000000000400000-0x0000000000445000-memory.dmp UPX -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation 1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8.exe -
Executes dropped EXE 1 IoCs
pid Process 4776 shoste.exe -
resource yara_rule behavioral2/memory/1784-0-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral2/files/0x0007000000023212-6.dat upx behavioral2/memory/4776-12-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral2/memory/1784-14-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral2/memory/4776-17-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral2/memory/4776-18-0x0000000000400000-0x0000000000445000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1784 wrote to memory of 4776 1784 1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8.exe 90 PID 1784 wrote to memory of 4776 1784 1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8.exe 90 PID 1784 wrote to memory of 4776 1784 1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8.exe 90 PID 1784 wrote to memory of 4992 1784 1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8.exe 91 PID 1784 wrote to memory of 4992 1784 1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8.exe 91 PID 1784 wrote to memory of 4992 1784 1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8.exe"C:\Users\Admin\AppData\Local\Temp\1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\shoste.exe"C:\Users\Admin\AppData\Local\Temp\shoste.exe"2⤵
- Executes dropped EXE
PID:4776
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵PID:4992
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD584755d526a89b1cec68d6091abfbcb6d
SHA1c75a1553266458d5d4d6fb18291ea44563fa130f
SHA2564485e73b8e2dd2346284b33156fcb30f8d6ab41c194933246803f1ab1b62665b
SHA51278666508a3b72e65f9b1ec5736c88e3557023a7469be40e0a4b9e489e3b37fa6f50e87cc70779b66de19338b867e8037d572e965c4cf569dc9ef417d010f0f95
-
Filesize
338B
MD5a2f1cfefee13539bee315ce711c269c6
SHA15a188e55886b54bdd6cc268825d0ee3238b3c57a
SHA256541d4cb101005acc44067724797f497bc8f01efefbd2a389dcad8631cde48e76
SHA512eb8319f51e54bc432b793444a84d0f205cfda26387e45d86e8ef96ffefe8ea21c12d0d8dcda55c63a987d40f5214b28973feb929cf5445fe86cba72cb2b87698
-
Filesize
247KB
MD5abfc2ddc2c9fa763e6af9aa16907e32e
SHA18162f5cf9e8a4ca7572e6bd497302507641ca94e
SHA25698059e21b4d213d6686c7eeebc82bb2905bbaeba4ab06016a25144856f014667
SHA51255df43192877f0fdf9b984a08c0a70e29132c7e44547048340e0d0bee205dcfb514cab14aa199ff3cb2ee50a6d5f830ee99bd2f3855afe2d83095de7c54ba23a