Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
158s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12/03/2024, 17:25
Static task
static1
Behavioral task
behavioral1
Sample
c3ef9cb45f5cc4b446a43056ec73a48b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c3ef9cb45f5cc4b446a43056ec73a48b.exe
Resource
win10v2004-20240226-en
General
-
Target
c3ef9cb45f5cc4b446a43056ec73a48b.exe
-
Size
3.4MB
-
MD5
c3ef9cb45f5cc4b446a43056ec73a48b
-
SHA1
f9e774d51a2e869da2d153609b4fc3c2497dbc63
-
SHA256
8fd87bd55cdb46b5bee7e431fd7fe7da152a2ec0d511179afdab8fcd369bd036
-
SHA512
cb60efb057bae4764c3fb3ee3ae4da1ed95a72155dc7f9f28e7ded64e70a6643e33f0f8061fb69fbb7d8a18c869df76f8a9af692e954121fb9d7e75df9d19e31
-
SSDEEP
49152:OsmJOgW/G5HEJDI3pzZVKItiZlermD3jz/Tygr6tKyQtzyVhDpyLajBHj4f6gZBs:OsiWgn3XsI65//JG+CPbRjrgZQ0c
Malware Config
Signatures
-
Blocklisted process makes network request 9 IoCs
flow pid Process 50 4132 cmd.exe 51 4132 cmd.exe 54 4132 cmd.exe 55 4132 cmd.exe 56 4132 cmd.exe 64 4132 cmd.exe 65 4132 cmd.exe 116 4132 cmd.exe 119 4132 cmd.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation c3ef9cb45f5cc4b446a43056ec73a48b.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 8vIzgms1D.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8vIzgms1D.exe c3ef9cb45f5cc4b446a43056ec73a48b.exe -
Executes dropped EXE 2 IoCs
pid Process 2424 8vIzgms1D.exe 3296 8vIzgms1D.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 3296 8vIzgms1D.exe 4132 cmd.exe 4132 cmd.exe 4132 cmd.exe 4132 cmd.exe 4132 cmd.exe 4132 cmd.exe 4132 cmd.exe 4132 cmd.exe 4132 cmd.exe 4132 cmd.exe 4132 cmd.exe 4132 cmd.exe 4132 cmd.exe 4132 cmd.exe 4132 cmd.exe 4132 cmd.exe 4132 cmd.exe 4132 cmd.exe 4132 cmd.exe 4132 cmd.exe 4132 cmd.exe 4132 cmd.exe 4132 cmd.exe 4132 cmd.exe 4132 cmd.exe 4132 cmd.exe 4132 cmd.exe 4132 cmd.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2076 wrote to memory of 2856 2076 c3ef9cb45f5cc4b446a43056ec73a48b.exe 100 PID 2076 wrote to memory of 2856 2076 c3ef9cb45f5cc4b446a43056ec73a48b.exe 100 PID 2076 wrote to memory of 2856 2076 c3ef9cb45f5cc4b446a43056ec73a48b.exe 100 PID 2856 wrote to memory of 2424 2856 c3ef9cb45f5cc4b446a43056ec73a48b.exe 104 PID 2856 wrote to memory of 2424 2856 c3ef9cb45f5cc4b446a43056ec73a48b.exe 104 PID 2856 wrote to memory of 2424 2856 c3ef9cb45f5cc4b446a43056ec73a48b.exe 104 PID 2424 wrote to memory of 3296 2424 8vIzgms1D.exe 105 PID 2424 wrote to memory of 3296 2424 8vIzgms1D.exe 105 PID 2424 wrote to memory of 3296 2424 8vIzgms1D.exe 105 PID 3296 wrote to memory of 4132 3296 8vIzgms1D.exe 107 PID 3296 wrote to memory of 4132 3296 8vIzgms1D.exe 107 PID 3296 wrote to memory of 4132 3296 8vIzgms1D.exe 107 PID 3296 wrote to memory of 4132 3296 8vIzgms1D.exe 107 PID 3296 wrote to memory of 4132 3296 8vIzgms1D.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3ef9cb45f5cc4b446a43056ec73a48b.exe"C:\Users\Admin\AppData\Local\Temp\c3ef9cb45f5cc4b446a43056ec73a48b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\c3ef9cb45f5cc4b446a43056ec73a48b.exe"C:\Users\Admin\AppData\Local\Temp\c3ef9cb45f5cc4b446a43056ec73a48b.exe"2⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8vIzgms1D.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8vIzgms1D.exe" "C:\Users\Admin\AppData\Local\Temp\c3ef9cb45f5cc4b446a43056ec73a48b.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8vIzgms1D.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8vIzgms1D.exe" "C:\Users\Admin\AppData\Local\Temp\c3ef9cb45f5cc4b446a43056ec73a48b.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:4132
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3976 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:81⤵PID:1008
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD5a5c336e12d7db3edf2330bdf21b57e55
SHA186f6fe262a792520003a3a60bc9cd0cd957200fd
SHA256bc24aba31b34f328fe080d49d6d5f598efedf44ef1b3f9c4dbde1d5708a24ef3
SHA512cff4352eccc8076212b6505e020caf544ebc8adbc89941dfa18688c7f23d54836258e5edce7fdc3848c747b23b765e75a30372286b0bf39c3147e45476a74c96
-
Filesize
1.3MB
MD5a5d71a5db6cb25481bdeed3d0bc50040
SHA1076c84fbe70d637406389ea15bd760fd1aae549b
SHA25607b4759ec2a2a759e457d742cc449f16148cdaa273fa0a22fcb66a02b5fb05cf
SHA512607625da8b9868c093da74f6546d8924a534bed574a1f680e928c89ca04a57aa93843943a9947e2d4dc8feb359cdb8b1fbc401687463f8efc02f7b2ccb7c8544
-
Filesize
872KB
MD5170bdb7a5025cd6ff96c582c4b14798c
SHA18b92f6cc67c4e289ead3f2067cc2cae50ae70630
SHA2563bd9bdebee39d311dde3eefedfcdf5ccd40d6ac8c7ebbcf48a91e030bfe2be6e
SHA5121caaf8317310d015a421ca0af99fc571d33694ad229e80366e10027c392d42f3372b9c695c269fede11629b9f11b302f5873ad6ad10c04cfed5500bd49e24b81
-
Filesize
657KB
MD57e9ccf2f3c150e6f5653c2407878a6f7
SHA1fb825e3a393d626162903d72bea797fdd5efc714
SHA256f7ca725d4dc917c8971efb482f4462975d0b35dfd606d2f98bff35d75a962b99
SHA5123e8a6e81d41dd452b9a04e18c70b06d94369e097ca419a8fb1212aa0335d4304b4229b101417c8a1a0e65284dc07e19510f47dcc650434031dceeec197f65ad2