Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09/06/2024, 00:20
Static task
static1
Behavioral task
behavioral1
Sample
5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe
Resource
win10v2004-20240426-en
General
-
Target
5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe
-
Size
12KB
-
MD5
ee9e7173cbacb0a1e820d2a96887fa2a
-
SHA1
70253a73f5f84eec8d0c69989864a275157a5dd7
-
SHA256
5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987
-
SHA512
8c5761d23978e9ec15e0c5e07b872187ed3ca3a371706d607fac7bd7ad9f0d3058f772e8dcad67e4662e68f61c1b607963d264ae6f851e00d24563ad0ecb73bf
-
SSDEEP
384:XL7li/2zjq2DcEQvdhcJKLTp/NK9xaO9:bfM/Q9cO9
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation 5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe -
Deletes itself 1 IoCs
pid Process 2408 tmp4ECD.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2408 tmp4ECD.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 936 5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 936 wrote to memory of 4696 936 5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe 85 PID 936 wrote to memory of 4696 936 5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe 85 PID 936 wrote to memory of 4696 936 5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe 85 PID 4696 wrote to memory of 2740 4696 vbc.exe 87 PID 4696 wrote to memory of 2740 4696 vbc.exe 87 PID 4696 wrote to memory of 2740 4696 vbc.exe 87 PID 936 wrote to memory of 2408 936 5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe 88 PID 936 wrote to memory of 2408 936 5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe 88 PID 936 wrote to memory of 2408 936 5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe"C:\Users\Admin\AppData\Local\Temp\5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xembfusg\xembfusg.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES513D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc77C0B4093C7B40619EE4791EBC2813A.TMP"3⤵PID:2740
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp4ECD.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4ECD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2408
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD516ff3ef6ff9020e570f42b94ef6ef59c
SHA178e1667064c3ed8a785af24fd196f982b152d19a
SHA2566cf02b097ed3365b52fcb21506872030f97f6091741a4b0aa639e6168c31c1b0
SHA512d519f85d8b82dbedac27607777226a528de1a14de7f624eeddf95ae22424a5021a33fd3ca02f1edfcf53f4f7783f52e1a5e394bc855240b1da96fd8dafda817b
-
Filesize
1KB
MD5abe18bf11a253db869dae01189eb5af0
SHA170823aebc9b383325b6ea33ada53710015cd7680
SHA256f34995d3a3b16ac686f0f601e963993927579bf22c72ead99daef3d09086c989
SHA512e490059600da8cc89796a9769a0d8920aa33a438578661669e6ba5b06c29ba52665b05c6ee822c55360074fa753490bdab0631946e036e242f23910a91983d68
-
Filesize
12KB
MD5b973bc908585a5835bfb5fa2c23963a6
SHA195b6cabffe7a106e42f5adec70415c746eb34c7e
SHA256dbf9b91781ccfc5cdacf0aed6503273c6f8fe9fecaf3c34b440293b9580170cd
SHA512b5c33567d2c89afdde68d1880bfb45a8c0a4713b938d00b28207e06f7815cdebf7c48c8a3ff6222aeec372d8aeb8cac2ae1370e9c2e466144d292e508116b5d1
-
Filesize
1KB
MD50682cd1cbfc7d0ef1459ba1b16f25ae9
SHA114c167dbe6647e3be9171aa4b77a2050218d7a06
SHA2565aeb2efbb8c6dcaca7e138437d131d7c6c48e3c2d190f83324e2b2b59b2ccc17
SHA51295a19d85017e8fb0044771fcc769e4edb468763580de40262ac88f1d8d49b1a61a32e52c1225d67be40266c06c46c37bed7d337266e696d5f278398ea650264b
-
Filesize
2KB
MD518c89170270aacd60db1f787b316f45a
SHA15b98b6ce3cf6767285fc54c6dde61f1170946e5f
SHA25671552cf5f196e9162833e78a6ef53ce86e947143acfc972090644e240846f88c
SHA512cdc4a923d39e6cd24d831d22723ced222615dee308e2593497a8a1ccba1f4fa44660dcf09a3e112d589a38362e9f2b63c1408333e54df5c3d4f522994f72895a
-
Filesize
273B
MD5527b2f8160ecc3355ed2afae3354fd69
SHA10ea8e84f546edba564aaa1db9742eaa7f2747e90
SHA2564f8dfd8c46c5ce168a0116419ff66b64756c4616c82fb23c5195b24ee08f79fd
SHA512b3b454454f8e24fc945508d76ca134df4876fc647ea05bfb5e13975dbf4ba7d5b50629c6d889c549619c9a73fb2c47c3ecf97f96255942411e78bfbba6039cf2