Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13/03/2024, 17:08
Behavioral task
behavioral1
Sample
01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe
Resource
win7-20240221-en
General
-
Target
01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe
-
Size
420KB
-
MD5
3477f317276bf2d4ed1a92ece69b7c18
-
SHA1
87baec845ee28b294a49dc3368de06c1a63f524f
-
SHA256
01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5
-
SHA512
cb5111df85eec1cd0fee5c77ebc5a09cecff07bcef19c22ae0d5abf918b8a835e68fa9faaee5a0e8c93bc38c027ac660d84b37e78a76490630e9ea0474c866cb
-
SSDEEP
6144:UzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInODGY:uU7M5ijWh0XOW4sEfeOn
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
resource yara_rule behavioral2/files/0x000e000000023169-21.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation 01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation hyixj.exe -
Executes dropped EXE 2 IoCs
pid Process 1120 hyixj.exe 2280 nuzyd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe 2280 nuzyd.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2680 wrote to memory of 1120 2680 01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe 91 PID 2680 wrote to memory of 1120 2680 01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe 91 PID 2680 wrote to memory of 1120 2680 01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe 91 PID 2680 wrote to memory of 4892 2680 01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe 92 PID 2680 wrote to memory of 4892 2680 01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe 92 PID 2680 wrote to memory of 4892 2680 01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe 92 PID 1120 wrote to memory of 2280 1120 hyixj.exe 111 PID 1120 wrote to memory of 2280 1120 hyixj.exe 111 PID 1120 wrote to memory of 2280 1120 hyixj.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe"C:\Users\Admin\AppData\Local\Temp\01ae502f888424cdc5d5066e06043e187fbc928e7edb610cd6b1b034908f72c5.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\hyixj.exe"C:\Users\Admin\AppData\Local\Temp\hyixj.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Users\Admin\AppData\Local\Temp\nuzyd.exe"C:\Users\Admin\AppData\Local\Temp\nuzyd.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2280
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵PID:4892
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD586c780808e3c6d7581e2acdb8b80cee4
SHA1696e0054037417e2e149dceb1c5d5f162bcde5aa
SHA256fed1d2ceccbc04813bd3c04ca974b9f9452697e3fd5b09e8500a917430318d89
SHA5126faf7d56ef2e9b10119e9f4c64d53e001ea6346f925badb3b4d8b993579e828a6b006bd576af486a3f3d9efb1da5eb61903d83900a63a76d201ca087d51c788e
-
Filesize
512B
MD57686350269f1267a3a9c93969ca3e77d
SHA1802a0aa2e18354280629a4a7e45dd42aa332695c
SHA2564092f33ecf29a5f111bdfb463367a867ff13d645f555d30144ade7fce5d68135
SHA51283f814c3c496cb77d1bc200866f5f8c65de7148d9fdd0439dc32ce762408e6aa8b45099821751209ffa0b02d93b6013ad4f21d3fe7524ea45c6ea5985a08d84d
-
Filesize
420KB
MD58c15f1f2e773fb79444a3c4b69bfdf84
SHA120e57d114ec600b51141751fd8c89bea76c44bcd
SHA25650f8c2c7d2523d067ba6eb7d5c00602aa1e806b18787b4ee2d19416d3373d3c5
SHA5125408087dba8fcade2533aaa99f5e50692e70f96f01c5d39e8dbc265a0e11bd7015768945b6dbdbeb363ca6334ffb0e8037c2f559d59d47cd3cfe3a403c87ca86
-
Filesize
212KB
MD51fc66116f69c5a2be2e17bf4a317a7bc
SHA14c0645cbb9da70aad5cd9babf9ae654eb64031b1
SHA256515e2a95cc250c07d94722d4eca37c739914605333f00ac26a943c8ef91d7fb3
SHA5127b2222e9daad458e40d09d5d52a86406ddc5dad8660ed3dac8d5553fc3e0f4475b08610afedd72ce434cd985060e353eb9c9cd666732dff5d3d5215b1d3eb875