Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/03/2024, 10:51
Static task
static1
Behavioral task
behavioral1
Sample
defc129e02f7491018870c51036bf597.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
defc129e02f7491018870c51036bf597.exe
Resource
win10v2004-20231215-en
General
-
Target
defc129e02f7491018870c51036bf597.exe
-
Size
132KB
-
MD5
defc129e02f7491018870c51036bf597
-
SHA1
9e01c5137ba14916c30250f6cf522b36a187b6ff
-
SHA256
13a56059ac7409f978090af2a11e59bacb66f1e01f7529e5cf2fc1d366155a05
-
SHA512
23ccd8e3e7bec9fb093f974524fdf410e7231e345fab5a0a97308b1b7e88e78b78d764b54c5c42962b2d0f62bcb40003940638f61c39d2f1dfc26f33b675680a
-
SSDEEP
3072:twxVMhOC/dTDbq91+mno3t4QZQ3rt8iJk/lE5eu95PGmN4h:tTfFDbRnOTrt5JEE5eu9nN4h
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation defc129e02f7491018870c51036bf597.exe -
Executes dropped EXE 1 IoCs
pid Process 1620 11.exe -
resource yara_rule behavioral2/files/0x001000000002314e-4.dat upx behavioral2/memory/1620-9-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/1620-31-0x0000000000400000-0x0000000000419000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1620 11.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1620 11.exe 1620 11.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3424 wrote to memory of 1620 3424 defc129e02f7491018870c51036bf597.exe 85 PID 3424 wrote to memory of 1620 3424 defc129e02f7491018870c51036bf597.exe 85 PID 3424 wrote to memory of 1620 3424 defc129e02f7491018870c51036bf597.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\defc129e02f7491018870c51036bf597.exe"C:\Users\Admin\AppData\Local\Temp\defc129e02f7491018870c51036bf597.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\11.exe"C:\11.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1620
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
30KB
MD564adcfa114e90e37770873d5d67163c2
SHA1b3d652aafc8c1129cdca36185c193bab4a73f801
SHA256db4ab3fbade2d12ef5645ee550720243cb5736d931c108a804fa5d383a06a002
SHA5128fafe015a0928277f4f27606c29ba4a5ee882c72b04be7ae40bf2670151006bd9148dc18065126f1d220276c441b0fc6d9e169325ac8629037180bdcac87fa81