Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/04/2024, 18:18
Static task
static1
Behavioral task
behavioral1
Sample
0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe
Resource
win10v2004-20240226-en
General
-
Target
0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe
-
Size
103KB
-
MD5
5d2d36e7d41e9969aa5164d77a06818d
-
SHA1
f0b1dcba48d2b02641b65a28213fe8908cf9f590
-
SHA256
0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29
-
SHA512
aa4327aad1bd66b0c5eb2224fd86dbcb3baad6dcd23c9d8e5cec0376c2f8a760f261fdd862f901985510dea5790c7173f189e432a0a45703dc890f521849b42d
-
SSDEEP
3072:sm+fXDeHEPTi6HiGLraYV6Z+RwPONXoRjDhIcp0fDlaGGx+cL26nASvVSTvE:sHvOQHXraYoZ+RwPONXoRjDhIcp0fDl4
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation 0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe -
Executes dropped EXE 1 IoCs
pid Process 4508 winlogdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\winlogdate.exe" regedit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 1908 4508 WerFault.exe 89 3788 4508 WerFault.exe 89 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings 0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe -
Runs regedit.exe 1 IoCs
pid Process 2312 regedit.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2552 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 2552 EXCEL.EXE 2552 EXCEL.EXE 2552 EXCEL.EXE 2552 EXCEL.EXE 2552 EXCEL.EXE 2552 EXCEL.EXE 2552 EXCEL.EXE 2552 EXCEL.EXE 2552 EXCEL.EXE 2552 EXCEL.EXE 2552 EXCEL.EXE 2552 EXCEL.EXE 2552 EXCEL.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1804 wrote to memory of 4508 1804 0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe 89 PID 1804 wrote to memory of 4508 1804 0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe 89 PID 1804 wrote to memory of 4508 1804 0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe 89 PID 1804 wrote to memory of 2312 1804 0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe 90 PID 1804 wrote to memory of 2312 1804 0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe 90 PID 1804 wrote to memory of 2312 1804 0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe 90 PID 1804 wrote to memory of 2552 1804 0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe 98 PID 1804 wrote to memory of 2552 1804 0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe 98 PID 1804 wrote to memory of 2552 1804 0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe"C:\Users\Admin\AppData\Local\Temp\0694e9d5f302540acda956ba60861153f0c617feffcf556fb874a531d947ff29.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Users\Admin\AppData\Roaming\Microsoft\winlogdate.exeC:\Users\Admin\AppData\Roaming\Microsoft\winlogdate.exe2⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 9563⤵
- Program crash
PID:1908
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 9083⤵
- Program crash
PID:3788
-
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Users\Admin\AppData\Local\Temp\kb71271.log2⤵
- Adds Run key to start application
- Runs regedit.exe
PID:2312
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\~tasyd3.xls"2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2552
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4508 -ip 45081⤵PID:3704
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4508 -ip 45081⤵PID:568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
155B
MD57a7e633bc48b5bfbca53c568eaa28fe6
SHA132956698ceca3a79f21be91d655a6265dbd325b2
SHA2567707e565fa020d2b20ff2a9650ff9a5f2d64323474dc4e4253dc4b53c4ecabfc
SHA5123592b4ff34b7d85ddb225d2f0573208e12b3b62a76f3dffe7a36790c26a586544ab52973cb9c0eb587f27352d7e88f0a475d29426f977e53d71628bbd84e6f39
-
Filesize
42KB
MD53e6e32ff547a361fea67cb9198016a34
SHA13617400d2f3cbfed0ab1427c50bd7b58e52e43fa
SHA256970eebd3a719020c9fc2f58b58d1c7104498a76e71885ec39b41323b520494e4
SHA512f3cf6b2b2f95d5fca07179e07e0163c2447ac297c1efc88d374d50d99595fcb9c536a32ba8d4c38953d66b7e8425b8883da89fd001324a385a8772ad8343f73b
-
Filesize
41KB
MD5ba4f88fe44d02a299dbeab18c37f74f3
SHA1f77d5dfccc1796b6f93156dea470c3bf20dba6c8
SHA2568a12e9117f023c7207272ff291ee1a686b636890cd616b92cff990c369d993f6
SHA512badfaaa1a89a8184d7715fbde0a578876863ec517e27096c6621b11dcfdf7585e9039ab33b019fa01dcbed3194a990aecc3fe1c5a3646c54dee9208377c87504