Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12/07/2024, 04:21
Static task
static1
Behavioral task
behavioral1
Sample
31a194cac2e9de7a6007ed9ec667f810N.exe
Resource
win7-20240705-en
General
-
Target
31a194cac2e9de7a6007ed9ec667f810N.exe
-
Size
269KB
-
MD5
31a194cac2e9de7a6007ed9ec667f810
-
SHA1
4c32b1079830ec850a9fc5772b62f7ec7e3f3eef
-
SHA256
a0d51145bd3f6620032b432be3cdb9a4bd3a2b889c01d101c9a53d8c46c6b4e4
-
SHA512
26f488523aecfb4d26ea71f57a7b8fa155baf4e6d37c81a8f0ad9c810ed83be542effd26fda17e75c191afead0c19c4571614281ddd53e5224d05c447efc2974
-
SSDEEP
6144:C/l5MBlczZhOHP0DQIpUtJndnUvBJGxhw5UJp8wB:C/EwthXN0ZdUvBJFUN
Malware Config
Extracted
gcleaner
185.172.128.90
77.105.160.30
185.172.128.69
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation 31a194cac2e9de7a6007ed9ec667f810N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3968 2588 WerFault.exe 82 -
Kills process with taskkill 1 IoCs
pid Process 4608 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4608 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2588 wrote to memory of 2920 2588 31a194cac2e9de7a6007ed9ec667f810N.exe 86 PID 2588 wrote to memory of 2920 2588 31a194cac2e9de7a6007ed9ec667f810N.exe 86 PID 2588 wrote to memory of 2920 2588 31a194cac2e9de7a6007ed9ec667f810N.exe 86 PID 2920 wrote to memory of 4608 2920 cmd.exe 90 PID 2920 wrote to memory of 4608 2920 cmd.exe 90 PID 2920 wrote to memory of 4608 2920 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\31a194cac2e9de7a6007ed9ec667f810N.exe"C:\Users\Admin\AppData\Local\Temp\31a194cac2e9de7a6007ed9ec667f810N.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "31a194cac2e9de7a6007ed9ec667f810N.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\31a194cac2e9de7a6007ed9ec667f810N.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "31a194cac2e9de7a6007ed9ec667f810N.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4608
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 13882⤵
- Program crash
PID:3968
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2588 -ip 25881⤵PID:5076