Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20/03/2024, 00:23
Behavioral task
behavioral1
Sample
c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c.exe
Resource
win7-20240221-en
General
-
Target
c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c.exe
-
Size
422KB
-
MD5
e41a7d87cf5e5af616c4d7f9413d26f0
-
SHA1
6bf09e6e60b144977d346439cf215c4bea40b510
-
SHA256
c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c
-
SHA512
21b5864632119ae429484b9e7fa3ba75fc0d4354fe99b404118d7a7f0ff5379664299b729d27de7edd35334604e3bfa1e2c97eec8303c0a05b2c6a43dff6d8fc
-
SSDEEP
6144:kzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOYqI:eU7M5ijWh0XOW4sEfeObI
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
resource yara_rule behavioral2/files/0x0007000000023483-20.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation becoc.exe -
Executes dropped EXE 2 IoCs
pid Process 2896 becoc.exe 3712 zuulr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe 3712 zuulr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2896 2092 c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c.exe 93 PID 2092 wrote to memory of 2896 2092 c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c.exe 93 PID 2092 wrote to memory of 2896 2092 c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c.exe 93 PID 2092 wrote to memory of 4960 2092 c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c.exe 94 PID 2092 wrote to memory of 4960 2092 c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c.exe 94 PID 2092 wrote to memory of 4960 2092 c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c.exe 94 PID 2896 wrote to memory of 3712 2896 becoc.exe 108 PID 2896 wrote to memory of 3712 2896 becoc.exe 108 PID 2896 wrote to memory of 3712 2896 becoc.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c.exe"C:\Users\Admin\AppData\Local\Temp\c32edbfbfe44d82a49a386a28b9116ed2df4be2ebad3750b7d64cb2bd00dca4c.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\becoc.exe"C:\Users\Admin\AppData\Local\Temp\becoc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Admin\AppData\Local\Temp\zuulr.exe"C:\Users\Admin\AppData\Local\Temp\zuulr.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3712
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵PID:4960
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD50b10cd83fd8a55a75fe654db12d752ce
SHA10e4f27159346b32adb6e64b18f4128cca9dd9a17
SHA25671d35ffeb3d91026463f07dfad70192e2601d70d9028f45daf3e4e9113063dab
SHA512623b5b07298e0393125fd5fd7bf54eae05c756a72a895a0b7d537075116bd92287ff0f5e6367679feba83b1677375c5aaa16817f85e37303f37fb348b914b4f2
-
Filesize
422KB
MD5bc1f8061e8761d79829a295bfbea3aa7
SHA149c2408d1073630a7420434c5d2f2f88c272569f
SHA256fb03915d7998b8418d57c1da131a487ae0ab7927f3b13fda832eba9a2e601699
SHA51289a4d543cd9e60b33e1ef95c7cc67e76f1074c0ecdcc7965eb5711c08d02231c6255603d84de15b7723e99c9a4ce6b335e9d4adc5a0a424a1666a8bd3aff55b9
-
Filesize
512B
MD517852201fed2d158d3d6c5ebfa32e07e
SHA196736d4dc0c23aba9241779f727e0638f0a2537e
SHA256ca81ca71f65a2c2ad20f55d2536f801e182da3c7c82ad5674fd977a0172457b6
SHA512f0e5e8cff0efa18cd8404183b859f1d777064cfb67129ec5caebbe961e3e9cabe07f5d32cab47c34574363a4225e9f03d24bc96bb2a540843bed03d93240500c
-
Filesize
212KB
MD5bcc871995d26e8c5865403888079fc9c
SHA1a90cf9fcbb2991368f4d760073187e6c61b3f6ee
SHA256a6d135ac0dd571238fdfac7f12146a18262bb4af8fb1d5962c8ddeeda9c9354e
SHA51216dd8e33e81b74b0aa9741cb2aaece973361c42f1b4ca70239317ab1b24643b7db66f0f88825bc5eb93014d5cd71431be0212db3939ca46a4bee54bd61b1a171