Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 05:00
Static task
static1
Behavioral task
behavioral1
Sample
f60205ecb21a0989b2e7acc9bca276f58ae38d77ccb250b8059af4f46c5f36e8.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
f60205ecb21a0989b2e7acc9bca276f58ae38d77ccb250b8059af4f46c5f36e8.exe
Resource
win10v2004-20240508-en
General
-
Target
f60205ecb21a0989b2e7acc9bca276f58ae38d77ccb250b8059af4f46c5f36e8.exe
-
Size
12KB
-
MD5
84c3cde186f5ce9e444c3080f4c02c94
-
SHA1
fa37fb0c8266c8576e68aeb756ba514b9361e066
-
SHA256
f60205ecb21a0989b2e7acc9bca276f58ae38d77ccb250b8059af4f46c5f36e8
-
SHA512
6dcda0b1d97872d01ee00617406aa20197f75008b56f3975da128d22477bc72501503b04e95187b43c45c1a66437e220e35bda7ad7696678c1d8e8b77e3f5dec
-
SSDEEP
384:oL7li/2zHq2DcEQvdQcJKLTp/NK9xafy:WbMCQ9cfy
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation f60205ecb21a0989b2e7acc9bca276f58ae38d77ccb250b8059af4f46c5f36e8.exe -
Deletes itself 1 IoCs
pid Process 5052 tmp41DC.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 5052 tmp41DC.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2012 f60205ecb21a0989b2e7acc9bca276f58ae38d77ccb250b8059af4f46c5f36e8.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2012 wrote to memory of 848 2012 f60205ecb21a0989b2e7acc9bca276f58ae38d77ccb250b8059af4f46c5f36e8.exe 87 PID 2012 wrote to memory of 848 2012 f60205ecb21a0989b2e7acc9bca276f58ae38d77ccb250b8059af4f46c5f36e8.exe 87 PID 2012 wrote to memory of 848 2012 f60205ecb21a0989b2e7acc9bca276f58ae38d77ccb250b8059af4f46c5f36e8.exe 87 PID 848 wrote to memory of 3016 848 vbc.exe 90 PID 848 wrote to memory of 3016 848 vbc.exe 90 PID 848 wrote to memory of 3016 848 vbc.exe 90 PID 2012 wrote to memory of 5052 2012 f60205ecb21a0989b2e7acc9bca276f58ae38d77ccb250b8059af4f46c5f36e8.exe 91 PID 2012 wrote to memory of 5052 2012 f60205ecb21a0989b2e7acc9bca276f58ae38d77ccb250b8059af4f46c5f36e8.exe 91 PID 2012 wrote to memory of 5052 2012 f60205ecb21a0989b2e7acc9bca276f58ae38d77ccb250b8059af4f46c5f36e8.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\f60205ecb21a0989b2e7acc9bca276f58ae38d77ccb250b8059af4f46c5f36e8.exe"C:\Users\Admin\AppData\Local\Temp\f60205ecb21a0989b2e7acc9bca276f58ae38d77ccb250b8059af4f46c5f36e8.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3h03szj0\3h03szj0.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4527.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCEADDE315F4B4591867C9851849F5EC1.TMP"3⤵PID:3016
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp41DC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp41DC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f60205ecb21a0989b2e7acc9bca276f58ae38d77ccb250b8059af4f46c5f36e8.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:5052
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5afc03d66b8e41dc46e9df395efdd1eda
SHA1dd9e5b5a502fba756a7e6631f0d09145031d4fcd
SHA2561d4bdce518634a55140792ae304b2f45ea83bc1f4ad988ad7c701120da94c5b5
SHA512a6c4bedc369df9631a82eca391639636c5a6fe2c58abd0150aa624a570be66a7cd23d4d61829996d2bc4521be376a1b5e1edb4fce6d309dd80f45c1ab3ed1d8a
-
Filesize
273B
MD526d550ec364b67f286d5ea64e36c74b8
SHA1503327f86823e12d2d035932a123235fa0b628b7
SHA256d766ac9a62d5ec8e0accef84adc8553d2b7fd3a1f8738d5e202132d2b2ffcdb0
SHA512eacb3daba060101b68ca039e029b445e2f6f3415a5ca8e8ccbafca50bd66ee46d782c12e9be9ac6d7e3794ffb48f9b9342b808b53e0b38d9782b65101bd3e1d5
-
Filesize
2KB
MD5ac6c0673ebaebb1c7827fd0f0cc929ef
SHA1868e31597ff5eefb87e77470d91456dda7786a38
SHA256efd884c02eaebc145c64b37826df09c9de808eab7d3edcc91e83f0c4e2ba9742
SHA51224ddac0ea0918aba48e8305313f80e7cb20508918288890a797d4d0c811ab83da9eb325b2809a545470000b9bacd4ce203bc5353d5a24bb0ad7c870dd02ab4d4
-
Filesize
1KB
MD542943424c4067cbb67814ae2ce206a2a
SHA12218735553765da8d9ac035a9b4d604786ded94d
SHA256a3eeb0c907047d8453bf4116771b0ad9461cb3a70c89977afd5afc8d14a3f1e9
SHA5121004cd74cfdb55b90fe84170cfe18011aba00c07afc4ec1e4b4d470dfde7f06398a9ee9047755d4301338b0e547e9b43381312acf23094d7ba4591a69df439c2
-
Filesize
12KB
MD5b61f83afb8eb7f0c1a127042d559c7fd
SHA11968a5ea18be304094e9d21bf0f2839509f3fdb3
SHA25656f0dad2a58ba073bb47705d72474f801b71f3aef46018b2f672d34e30c3ba4a
SHA51277af1801044cb73f32186323393af0c0ec1018cb67a3527541bc3bc51ab444b1097a1b2e8860587af61791c2b468422734381b00d319a8dc56a1892396450a26
-
Filesize
1KB
MD50e3845ba1f752750c6c880f5b0c97836
SHA1aac045ed3ce7418d4bc383e9651aeeeafc4e18bc
SHA256eadf4a38fb286e90d996a1db20af25cbefc8d7fa362bd849a2df7744afbbf5dd
SHA512b507210f2f0dda7c379d091c1a2007b5ec66b6b1762520155bb9d2bd1a9094427480d4c8472d7f7e2847997acc46aad2a8d003d36429a99554a45e671bf583d3