Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2024, 19:38
Static task
static1
Behavioral task
behavioral1
Sample
1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe
Resource
win10v2004-20240508-en
General
-
Target
1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe
-
Size
12KB
-
MD5
c078a412683a55a2fabfe7351daf5aef
-
SHA1
d5b864368e318aab0740e41384c82e37b5fc398c
-
SHA256
1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44
-
SHA512
7a0e29f72dab53f626a9feec6dc1474dc2225dde59d3c41fcd55ce9f07804ee0e18fc6cf366c54639a337fde78ed24aadf84fb5f780a70ef3bc81d5f1a09f664
-
SSDEEP
384:eL7li/2zbq2DcEQvdQcJKLTp/NK9xahW:IfMCQ9chW
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe -
Deletes itself 1 IoCs
pid Process 2600 tmp40B3.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2600 tmp40B3.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2692 1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2692 wrote to memory of 2568 2692 1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe 86 PID 2692 wrote to memory of 2568 2692 1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe 86 PID 2692 wrote to memory of 2568 2692 1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe 86 PID 2568 wrote to memory of 4536 2568 vbc.exe 88 PID 2568 wrote to memory of 4536 2568 vbc.exe 88 PID 2568 wrote to memory of 4536 2568 vbc.exe 88 PID 2692 wrote to memory of 2600 2692 1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe 89 PID 2692 wrote to memory of 2600 2692 1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe 89 PID 2692 wrote to memory of 2600 2692 1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe"C:\Users\Admin\AppData\Local\Temp\1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zjb0zwnj\zjb0zwnj.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4287.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc73662B1D9B1A41C481B16326464D85CF.TMP"3⤵PID:4536
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp40B3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp40B3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2600
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56ea4ffc9fe40b7fedd371a15b1763d9a
SHA1760b93056e4ab3da2b0aff418f4fd337d614a30a
SHA2561ca94f18a1bfe87b627d7b152c6976ba4bcac855661e8fb84b2a9e3a7924355e
SHA5121e643e852abbf4f1fa5c41ceec1e998d449974213c9777a50a855c2f071ee8627dad0c94fefe8ab64b00bd8ec849ff1b2b3b3002026b5dea1014e74d62e41ae8
-
Filesize
1KB
MD5f28b41514fc02ae1634e14590865d8ab
SHA1b70260400fce8cdd332697a50a1b491553450496
SHA25610f266bfb499277e66d94389889dec3ad4a0589f92cbb24ac52b2a048604fb14
SHA512c6e69c0434d7998ea4386d91460164df5b11c1fa3b159dee88eddc7e6f20141e279e1000a70d2567033f338cd19803b9f92b7b9b14c2eda6a985c6761337a2bb
-
Filesize
12KB
MD5244f1dd11b8b6483e005b27cd3da6102
SHA178c05e351f2e421bc190be0a377f54178ddcdffe
SHA256a6e7ff234789e4558c39a7d639f8bf89544b28a951e1be8875e0f09735b02545
SHA512ccd2f5e00bae1a744a24f32ccd007d251191826656ff0f718285c7218695ed08dc1ef2becfb4c44732c19d4e266202e03fb03ee8f171cb6c61c1a70ebdffcb9e
-
Filesize
1KB
MD50b4b9feaec5b7fa993cc52b4127aed07
SHA1e4fe300032e41d3bd0fec92f1b5199ea1e13c969
SHA2562c1495b325af839eab946e00551cfc85b2ef8ecb6d605335925757ce8c390f9e
SHA512b633df282236e55eb00ff5d4345226d10058d88361ad0ae12dec293ef838ad3a8d654bd024b5685d489adfdbe2c78ee47fbb7a81f7d90599732daef98d98c00b
-
Filesize
2KB
MD596d85ba62108788298fcfbfc728e057f
SHA104b8419644a37635904aa173ca519b1e186bf30c
SHA256fe5a73148c28ddb0e5fa812df006dc2c940463855c7680672d95c1db4c5a068e
SHA512decdedad91986f966885651f7d4443a72e800c0b0a17fb7fbf938adf807274ef6687c6c68cf3d90c375c8172ecff6621803cfaadbfe87d144ec1ee2f3d5d6e23
-
Filesize
273B
MD5264ad1226acbc87bf0849830ee33ad9e
SHA109d4cc403e4e2f0a52d5aadff0ca018e921fe5a1
SHA2563655dd855245e74a04a166decbbed0fa8b1d459123b13f0105a5cdc3df89a634
SHA5121337d38b28e6e9756387644599bafce9912fda0728fc5c76383e316c89f261b7e59a44653336d018f9c520756b849d2795fcc7619b8808a866e9c15ccb6153d2