Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27/05/2024, 17:02
Behavioral task
behavioral1
Sample
00c759af590238b4c0e51d3b128d74b896bada592b015be63577d03c42956b24.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
00c759af590238b4c0e51d3b128d74b896bada592b015be63577d03c42956b24.exe
Resource
win10v2004-20240508-en
General
-
Target
00c759af590238b4c0e51d3b128d74b896bada592b015be63577d03c42956b24.exe
-
Size
58KB
-
MD5
a1fad08826b8fe95a7c226adf3d486a0
-
SHA1
aed87097358bd47de493900263f3f014526fccb1
-
SHA256
00c759af590238b4c0e51d3b128d74b896bada592b015be63577d03c42956b24
-
SHA512
8c8af1abd779f218feaa476bec179f3748d5ab04da61dbefd001da0044e964a4273f291d85880a2705fed34fc0e013d6ff6718820d2b4ca16dad69943fea2395
-
SSDEEP
384:5ItlYLkfSoxGMwIfUzAI7+U5QY8PfOc9cCWRLzENdloN1T8F0pEEu6AZkSX3uo9n:5+CLZoyIm5Vz2srIFLI63VvKP3KfiSiS
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 00c759af590238b4c0e51d3b128d74b896bada592b015be63577d03c42956b24.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation hhcbrnaff.exe -
Executes dropped EXE 1 IoCs
pid Process 4756 hhcbrnaff.exe -
resource yara_rule behavioral2/memory/208-0-0x0000000000400000-0x000000000040D000-memory.dmp upx behavioral2/files/0x000a00000002328e-7.dat upx behavioral2/memory/208-10-0x0000000000400000-0x000000000040D000-memory.dmp upx behavioral2/memory/4756-26-0x0000000000400000-0x000000000040D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 208 wrote to memory of 4756 208 00c759af590238b4c0e51d3b128d74b896bada592b015be63577d03c42956b24.exe 83 PID 208 wrote to memory of 4756 208 00c759af590238b4c0e51d3b128d74b896bada592b015be63577d03c42956b24.exe 83 PID 208 wrote to memory of 4756 208 00c759af590238b4c0e51d3b128d74b896bada592b015be63577d03c42956b24.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\00c759af590238b4c0e51d3b128d74b896bada592b015be63577d03c42956b24.exe"C:\Users\Admin\AppData\Local\Temp\00c759af590238b4c0e51d3b128d74b896bada592b015be63577d03c42956b24.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe"C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4756
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
58KB
MD5500768769000cd2dc9a05d9419016c02
SHA136243d3af3460846aa60dfb795ec9fec53f7e0e5
SHA2567db3d06b719d69cb6e79a7650d0737e987b27f9476ea04759d930c85b9a0d3c5
SHA51229974b4b6bb3a8d49e71b2653d567c80cb95dc326ea1bb27e17443d587de74cda3df75ed302f32d49bb47c8b62fced1b582438763b6e9c10bef21d2ef4f684d8
-
Filesize
140B
MD5ea8eef7d26ecc45b6a56c5ecdb494d42
SHA1fd621efeb3a6649e0a7ed0a178fa51be3d5d7e1e
SHA2561af29706d2a6b604a0e552114f17bb1789014da70e98d6cf05af542bafaca04f
SHA51212aea78e33d411033ab3fb235f17013161d32c52c3a9b29e76c03dfe1c7ff97b39daadb9a02904923fb1fac0000a910dca2c692d949a8fa83620d09c0df62252