Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/05/2024, 17:02

General

  • Target

    00c759af590238b4c0e51d3b128d74b896bada592b015be63577d03c42956b24.exe

  • Size

    58KB

  • MD5

    a1fad08826b8fe95a7c226adf3d486a0

  • SHA1

    aed87097358bd47de493900263f3f014526fccb1

  • SHA256

    00c759af590238b4c0e51d3b128d74b896bada592b015be63577d03c42956b24

  • SHA512

    8c8af1abd779f218feaa476bec179f3748d5ab04da61dbefd001da0044e964a4273f291d85880a2705fed34fc0e013d6ff6718820d2b4ca16dad69943fea2395

  • SSDEEP

    384:5ItlYLkfSoxGMwIfUzAI7+U5QY8PfOc9cCWRLzENdloN1T8F0pEEu6AZkSX3uo9n:5+CLZoyIm5Vz2srIFLI63VvKP3KfiSiS

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\00c759af590238b4c0e51d3b128d74b896bada592b015be63577d03c42956b24.exe
    "C:\Users\Admin\AppData\Local\Temp\00c759af590238b4c0e51d3b128d74b896bada592b015be63577d03c42956b24.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:208
    • C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe
      "C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      PID:4756

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe

    Filesize

    58KB

    MD5

    500768769000cd2dc9a05d9419016c02

    SHA1

    36243d3af3460846aa60dfb795ec9fec53f7e0e5

    SHA256

    7db3d06b719d69cb6e79a7650d0737e987b27f9476ea04759d930c85b9a0d3c5

    SHA512

    29974b4b6bb3a8d49e71b2653d567c80cb95dc326ea1bb27e17443d587de74cda3df75ed302f32d49bb47c8b62fced1b582438763b6e9c10bef21d2ef4f684d8

  • C:\Users\Admin\AppData\Local\Temp\hhgnrddkjee.exe

    Filesize

    140B

    MD5

    ea8eef7d26ecc45b6a56c5ecdb494d42

    SHA1

    fd621efeb3a6649e0a7ed0a178fa51be3d5d7e1e

    SHA256

    1af29706d2a6b604a0e552114f17bb1789014da70e98d6cf05af542bafaca04f

    SHA512

    12aea78e33d411033ab3fb235f17013161d32c52c3a9b29e76c03dfe1c7ff97b39daadb9a02904923fb1fac0000a910dca2c692d949a8fa83620d09c0df62252

  • memory/208-0-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

  • memory/208-2-0x0000000002910000-0x0000000002911000-memory.dmp

    Filesize

    4KB

  • memory/208-3-0x0000000002920000-0x0000000002D20000-memory.dmp

    Filesize

    4.0MB

  • memory/208-10-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

  • memory/4756-13-0x0000000002580000-0x0000000002980000-memory.dmp

    Filesize

    4.0MB

  • memory/4756-12-0x0000000002570000-0x0000000002571000-memory.dmp

    Filesize

    4KB

  • memory/4756-26-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB