Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26/03/2024, 19:18
Behavioral task
behavioral1
Sample
dfe7a5f6acde124cf76208b495f5a365.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
dfe7a5f6acde124cf76208b495f5a365.exe
Resource
win10v2004-20240226-en
General
-
Target
dfe7a5f6acde124cf76208b495f5a365.exe
-
Size
892KB
-
MD5
dfe7a5f6acde124cf76208b495f5a365
-
SHA1
358bb1d543ff9959eb6875f664db045ffe9f7aa3
-
SHA256
995f6b3740e67c8141fa0ce0550422767e1839b66ad1961b353c738468d81b54
-
SHA512
cbc1f2aa09276c25a47bf2023249d17f1f92ab5af05661c27114b888e61b59925eb4fd30608acb53b2f0fe8f5978f5230da802e6eaa8384f9fe7db6317fd4bc5
-
SSDEEP
24576:EPPNhyA4z0LxilaV5lXRwr3mZdQgWMoFaZeOVEYWC0n+EE:2TyY5l8mVWMiaBzqn+H
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation dfe7a5f6acde124cf76208b495f5a365.exe -
resource yara_rule behavioral2/memory/2224-0-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/2224-53-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/2224-54-0x0000000000400000-0x0000000000423000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings dfe7a5f6acde124cf76208b495f5a365.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2224 wrote to memory of 3964 2224 dfe7a5f6acde124cf76208b495f5a365.exe 99 PID 2224 wrote to memory of 3964 2224 dfe7a5f6acde124cf76208b495f5a365.exe 99 PID 2224 wrote to memory of 3964 2224 dfe7a5f6acde124cf76208b495f5a365.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfe7a5f6acde124cf76208b495f5a365.exe"C:\Users\Admin\AppData\Local\Temp\dfe7a5f6acde124cf76208b495f5a365.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\vce\temp.vbs"2⤵PID:3964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3644 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:81⤵PID:4112
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
242B
MD5c5ce1dd62a40fc0dafcd7e41c9f35247
SHA18639c6a6d0ea0663c6d03622201c500333a93653
SHA2565df04786ebefe693cfa9837c8719dedce1afce54cc3024b9d4df7728ac973427
SHA512465fed20c923544582192d1e2553c88da837da40fb301da511d16f0752ca5573b7c03a9e567f9498cf20f75b806ae4698ffbac373c2e5c6f73d734f53b4323a2