Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 22:40
Static task
static1
Behavioral task
behavioral1
Sample
6dad690db9d2de730320dfb08047dd31d45e6cfcaa5bf39b8fae79b6fc02a7dc.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6dad690db9d2de730320dfb08047dd31d45e6cfcaa5bf39b8fae79b6fc02a7dc.exe
Resource
win10v2004-20240426-en
General
-
Target
6dad690db9d2de730320dfb08047dd31d45e6cfcaa5bf39b8fae79b6fc02a7dc.exe
-
Size
54KB
-
MD5
350eeb1fb8ed3b59df3b2771e74be56d
-
SHA1
40a8cb81dbff1bd382272ac053f63220b3228a78
-
SHA256
6dad690db9d2de730320dfb08047dd31d45e6cfcaa5bf39b8fae79b6fc02a7dc
-
SHA512
9137ee5c6aaa1d8fa5b816af6718380d55435f8f4cb3292f910996cb26ffdd83f2d719c4b3596aeaa630d02b5fc82d1de47b2f659a1d61bdd28a14607672fa10
-
SSDEEP
768:MApQr0ovdFJI34eGxusOy9Rp1pLeAxoeC48PqK1OtaP6cCFzENREMZ7BE:MAaDJlMsh7pWezEPJB+Oi
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation 6dad690db9d2de730320dfb08047dd31d45e6cfcaa5bf39b8fae79b6fc02a7dc.exe -
Executes dropped EXE 1 IoCs
pid Process 5968 sal.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\sal.exe 6dad690db9d2de730320dfb08047dd31d45e6cfcaa5bf39b8fae79b6fc02a7dc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3956 wrote to memory of 5968 3956 6dad690db9d2de730320dfb08047dd31d45e6cfcaa5bf39b8fae79b6fc02a7dc.exe 83 PID 3956 wrote to memory of 5968 3956 6dad690db9d2de730320dfb08047dd31d45e6cfcaa5bf39b8fae79b6fc02a7dc.exe 83 PID 3956 wrote to memory of 5968 3956 6dad690db9d2de730320dfb08047dd31d45e6cfcaa5bf39b8fae79b6fc02a7dc.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\6dad690db9d2de730320dfb08047dd31d45e6cfcaa5bf39b8fae79b6fc02a7dc.exe"C:\Users\Admin\AppData\Local\Temp\6dad690db9d2de730320dfb08047dd31d45e6cfcaa5bf39b8fae79b6fc02a7dc.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\windows\SysWOW64\sal.exe"C:\windows\system32\sal.exe"2⤵
- Executes dropped EXE
PID:5968
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD53ccd49740138963c48ebba65087fab04
SHA1afbc3cff44f2b2e9833eabb0ac5366909b5ae7de
SHA2560e3b9d33b9e6f9156bcdc27b10990bc56b1787713befbc6edd66defbf15e4c81
SHA512e7c6760943639f5f1e1f841e5f3179bd881432ecfba167fccf79353f29941182666cdc111d8d546388d60b22445dc53c8b3249a88d201399d4bcf4401689832d