Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16/03/2024, 10:04
Static task
static1
Behavioral task
behavioral1
Sample
1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe
Resource
win10v2004-20240226-en
General
-
Target
1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe
-
Size
1.6MB
-
MD5
b22270d4f34b77e9b058073fe86bc54a
-
SHA1
a19dffbad17b8ae56d90d4af77e8e5006432e68e
-
SHA256
1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264
-
SHA512
9373bd6da7462a9e069170100523a77bb33e1570fa28bd8c8bc7d61463ec9faf2fcf79cbca4f4029ea59e37242116def5383d05fa1158e356dcc3c46ac146ed2
-
SSDEEP
24576:gPTSFvPz6LOpNNYVe16EEqk3a+WFEtsrJfo4u0+t7Teed24b6IQ+:gazfdr+WdrJQ4uztG8tV
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation 1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe -
resource yara_rule behavioral2/memory/3772-1-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3772-4-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3772-5-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3772-3-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3772-6-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3772-7-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3772-9-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3772-11-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3772-13-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3772-15-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3772-18-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3772-21-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3772-23-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3772-25-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3772-27-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3772-29-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3772-31-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3772-33-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3772-36-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3772-39-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3772-41-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3772-43-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3772-46-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3772-48-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3772-50-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3772-52-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3772-72-0x0000000010000000-0x000000001003E000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2752 4872 WerFault.exe 93 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3772 1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe 3772 1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe 3772 1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe 3772 1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4872 1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe Token: SeDebugPrivilege 3772 1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 4872 1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe 4872 1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe 4872 1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe 4872 1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe 3772 1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe 3772 1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe 3772 1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe 3772 1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe 3772 1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4872 wrote to memory of 3772 4872 1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe 99 PID 4872 wrote to memory of 3772 4872 1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe 99 PID 4872 wrote to memory of 3772 4872 1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe"C:\Users\Admin\AppData\Local\Temp\1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Users\Admin\AppData\Local\Temp\1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe"C:\Users\Admin\AppData\Local\Temp\1024ee8629d188af6702132f9660dc754b41ca0cba40bed0fff674e375bcb264.exe" 4750832⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3772
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 17922⤵
- Program crash
PID:2752
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4872 -ip 48721⤵PID:1276
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=3044,i,17059189006398306756,4247826696353232857,262144 --variations-seed-version /prefetch:81⤵PID:2232
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD55bfa51f3a417b98e7443eca90fc94703
SHA18c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA5124cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399