Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27/05/2024, 02:32
Static task
static1
Behavioral task
behavioral1
Sample
c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe
Resource
win10v2004-20240508-en
General
-
Target
c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe
-
Size
12KB
-
MD5
b912a402c5c743b4fa0db4c9beded7a5
-
SHA1
c64ae82aed37a3506450db09b5e4a5205fc009a2
-
SHA256
c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad
-
SHA512
dc973419fd632d9b7e497894c51edef6fb3439dba8cbbc9e702cf4fc057d4702075ba79a0ea69706d0b2373fb7249154d8b92577e4386c1f024134a6fe98ab72
-
SSDEEP
384:LL7li/2zZq2DcEQvdhcJKLTp/NK9xaSs:fxM/Q9cSs
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe -
Deletes itself 1 IoCs
pid Process 4480 tmp4382.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 4480 tmp4382.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2148 c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2148 wrote to memory of 3744 2148 c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe 87 PID 2148 wrote to memory of 3744 2148 c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe 87 PID 2148 wrote to memory of 3744 2148 c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe 87 PID 3744 wrote to memory of 4816 3744 vbc.exe 89 PID 3744 wrote to memory of 4816 3744 vbc.exe 89 PID 3744 wrote to memory of 4816 3744 vbc.exe 89 PID 2148 wrote to memory of 4480 2148 c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe 92 PID 2148 wrote to memory of 4480 2148 c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe 92 PID 2148 wrote to memory of 4480 2148 c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe"C:\Users\Admin\AppData\Local\Temp\c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hzlcu1fb\hzlcu1fb.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4527.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9EB9A3145F346229ABF6F9E641A624C.TMP"3⤵PID:4816
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp4382.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4382.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:4480
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5fed096e92b299eb75f5a7e4d1a10e4a5
SHA1598d93301191c3efbd7134269385e37164c914f5
SHA256249dfaabaa15f5194aa1b2a3fddd7292d6d3e3b0787dd8b1a50130774de63b30
SHA5122a99b78f9359e20ef168130864f12366d12701ef8c40c1ee5c72f134d17c3188e4a625538f4a64961c493ed1240c5aed679ac665ccc1bc251f8595e506c86322
-
Filesize
1KB
MD50d8932824d4b101a5ed0b74704e04f4a
SHA1e201d203a8fe78ce62865ec875d92aae38010a38
SHA256051175ea044d2622ab8c6c0d3841a28ba4152cbfd98ba5a67b632827b07400c7
SHA512569d87b0cf0e423e646a7cf23921c336485e858f8bff891d2f5e182bfd7670f76f16ccbeb45e26ff64d0f70dec4e6788a97a8e3f8e42f7c20f9e24bb7926f957
-
Filesize
2KB
MD580af92fd4bc6642983024ef611fae21c
SHA1beb66176ece391ec767db33651b3aaafac6cc951
SHA256881e88f523e12130aaac6630867889453297c0d4b618d4dfaaaa5f66ae65969d
SHA512f19700b12bd5faeda800a3a16ac34d0c63e64f535a8e1c367a659bd681ee215ee2c2536ff09ad1b2004196b198c4e0aacccdbe64b9f7c0ed6d9cde560940281f
-
Filesize
273B
MD5d886cf61df09b60d13fdd12f954f3897
SHA11065bbec6ad19f3228638d0682f1ad2626466b6d
SHA256db27eda11b3769e55204405c0d4fead61aff206b549e9e62cb2d1e15d0b01d33
SHA512da1d6c4ede3bf31b34392c2e5906e80c5f03f52d6fd0511c199fab7a9815b03e406bcf9840f7a3dd2fb85d5b8647fa28d0424a7918b0100a68c6a2d991251bad
-
Filesize
12KB
MD594d60452a0ac4e605d67d3f78bb279af
SHA168ebd76d1b35f922fdc936560ef19d4e335f3691
SHA256f0a97cd974103429a5ba47f4a2fdf1199ebd312bddbc134c8980d77266bd981f
SHA512b1d7e90fcd0c376bed26ee2c8343fae7e43232b22b79e9571ffbe2837f745408a6b369cbfa721daea37301a83623436c9db4df657b894472ceddab55bda11570
-
Filesize
1KB
MD5a1e53a3658a07dae6bbf50d4b9c03f17
SHA16adba83b61fb0cd5de30360b0b869e38b0f087da
SHA2565506e0602c1295678ce2570c91909e39c8ca744f9c06754539332abffc723255
SHA5129361a842506c46d87f0f4034ea76b3b98438ba3927049331aa7bbc774cc6f9a180da89ea58429286e677e4cdf53b7376f182193c9ea22ec6c8fdde93dfd55538