Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
09/04/2024, 20:20
Behavioral task
behavioral1
Sample
c14fb102c05d77ab7443cc15d489ea70.exe
Resource
win7-20240221-en
General
-
Target
c14fb102c05d77ab7443cc15d489ea70.exe
-
Size
328KB
-
MD5
c14fb102c05d77ab7443cc15d489ea70
-
SHA1
cd2176a25e62066e076fe99efb30058a139c888d
-
SHA256
c7661d91bada02fb540c88e94bf5ee6594f5157a7b3343c19619a6b1ec5480b7
-
SHA512
8e03afacbecc4aa4f5ffe00af996479405ccb02021530bda074964b4226001a7016c98fb84a7594e497abf765b7a11aa85ac66b9a19e6d261bfb29e2a0d51bf3
-
SSDEEP
6144:wObaeY8zPekKKH/hT8PVdkLHtA3nPER5oSHzZ4NyQ:wOb/KKH/hT8PVdkJA3uoSiT
Malware Config
Extracted
urelas
121.88.5.184
121.88.5.183
218.54.30.235
218.54.28.139
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation c14fb102c05d77ab7443cc15d489ea70.exe -
Executes dropped EXE 1 IoCs
pid Process 4644 opert.exe -
resource yara_rule behavioral2/memory/2444-0-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral2/files/0x00060000000231ec-6.dat upx behavioral2/memory/2444-14-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral2/memory/4644-10-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral2/memory/4644-17-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral2/memory/4644-18-0x0000000000400000-0x000000000045B000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2444 wrote to memory of 4644 2444 c14fb102c05d77ab7443cc15d489ea70.exe 84 PID 2444 wrote to memory of 4644 2444 c14fb102c05d77ab7443cc15d489ea70.exe 84 PID 2444 wrote to memory of 4644 2444 c14fb102c05d77ab7443cc15d489ea70.exe 84 PID 2444 wrote to memory of 1068 2444 c14fb102c05d77ab7443cc15d489ea70.exe 85 PID 2444 wrote to memory of 1068 2444 c14fb102c05d77ab7443cc15d489ea70.exe 85 PID 2444 wrote to memory of 1068 2444 c14fb102c05d77ab7443cc15d489ea70.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\c14fb102c05d77ab7443cc15d489ea70.exe"C:\Users\Admin\AppData\Local\Temp\c14fb102c05d77ab7443cc15d489ea70.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\opert.exe"C:\Users\Admin\AppData\Local\Temp\opert.exe"2⤵
- Executes dropped EXE
PID:4644
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵PID:1068
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD5eedb29ddd99eaacb97303426301d4575
SHA1598485f712057df31e2318e85d17949510adea21
SHA25679a0976bed8113f97584faf4ea7e820ecc6eb864a78b17fcdc9dcf8db252d84e
SHA512cfcaeb5b791127f2b06cafc8590e4cc6ca2ea8a66f04abb7c6cad9bbe4ab84c819e1126b7919da68d3bdd25300866d695d40d61ab0b1cba8764c4c1dafe520db
-
Filesize
328KB
MD5817bcb48a8363bdbca4f50a2e067249b
SHA131a81387be4641a391c58f58722f6a2fe58dec08
SHA256cd22962e1d5ef1e823bba9bf326072b0ee2b6abd0e8afb7ce10590d619c623a2
SHA512b0e75c006ddef0451e90e2b554fcb885c6f8e6f3b57a9e07a89f371fe0f1fdc4d095edb0c0b4bd4d4d8acf050ec726588059b308f0b94c6d9d900edb4ec6d0e3
-
Filesize
274B
MD57d9dd9c904b68c7e726d39b0d390e0c0
SHA15caa23245478df846b7b460dbef3cee92431e6b7
SHA256a97ceca17fb783be3f4a06a8965cc15622e5ce5d8410e68ba554456ca68aff01
SHA512efddffbf9031e1be8db233b418ddc1c21be82e8913815f205c65b76de5a9cc3bc6110af860b2c5c690f7d3a9b00c936f3172704215c7f898775be836d10dcd6a