Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
16/07/2024, 11:23
Static task
static1
Behavioral task
behavioral1
Sample
b235e8de79b0191a83d3b49aa7048f40N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
b235e8de79b0191a83d3b49aa7048f40N.exe
Resource
win10v2004-20240709-en
General
-
Target
b235e8de79b0191a83d3b49aa7048f40N.exe
-
Size
84KB
-
MD5
b235e8de79b0191a83d3b49aa7048f40
-
SHA1
4c1de2173bfaa53140aa8ee0cef628aa76edebb7
-
SHA256
b09e310442fe5a9f3b0a8fba7e913e2bb06c72f87a5bc3043eb059d64c0c7069
-
SHA512
d6bf52ddeb8eca5859d8cdb7026e5c6de5c279823fca18a2eb74a05b8497f4124f4e866bf8fd254f9f25dcca7ff2e369893f69dbb04ba725d0629c2df347b41f
-
SSDEEP
1536:1clIGFNMi+hJUneHoGTvvv4V9hqdhbtgS:+RMi+fUnCTvvv4V9hEhbCS
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation b235e8de79b0191a83d3b49aa7048f40N.exe Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation lsass.exe -
Executes dropped EXE 4 IoCs
pid Process 1568 lsass.exe 4476 lsass.exe 2328 lsass.exe 2732 lsass.exe -
resource yara_rule behavioral2/memory/2172-2-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2172-13-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2172-14-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2172-40-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4476-54-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2172-59-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4476-89-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audio Driver = "C:\\Users\\Admin\\AppData\\Roaming\\system\\lsass.exe" reg.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3180 set thread context of 2172 3180 b235e8de79b0191a83d3b49aa7048f40N.exe 86 PID 1568 set thread context of 4476 1568 lsass.exe 95 PID 1568 set thread context of 2328 1568 lsass.exe 96 PID 2328 set thread context of 2732 2328 lsass.exe 97 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe Token: SeDebugPrivilege 4476 lsass.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3180 b235e8de79b0191a83d3b49aa7048f40N.exe 2172 b235e8de79b0191a83d3b49aa7048f40N.exe 1568 lsass.exe 4476 lsass.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 3180 wrote to memory of 2172 3180 b235e8de79b0191a83d3b49aa7048f40N.exe 86 PID 3180 wrote to memory of 2172 3180 b235e8de79b0191a83d3b49aa7048f40N.exe 86 PID 3180 wrote to memory of 2172 3180 b235e8de79b0191a83d3b49aa7048f40N.exe 86 PID 3180 wrote to memory of 2172 3180 b235e8de79b0191a83d3b49aa7048f40N.exe 86 PID 3180 wrote to memory of 2172 3180 b235e8de79b0191a83d3b49aa7048f40N.exe 86 PID 3180 wrote to memory of 2172 3180 b235e8de79b0191a83d3b49aa7048f40N.exe 86 PID 3180 wrote to memory of 2172 3180 b235e8de79b0191a83d3b49aa7048f40N.exe 86 PID 3180 wrote to memory of 2172 3180 b235e8de79b0191a83d3b49aa7048f40N.exe 86 PID 2172 wrote to memory of 376 2172 b235e8de79b0191a83d3b49aa7048f40N.exe 87 PID 2172 wrote to memory of 376 2172 b235e8de79b0191a83d3b49aa7048f40N.exe 87 PID 2172 wrote to memory of 376 2172 b235e8de79b0191a83d3b49aa7048f40N.exe 87 PID 376 wrote to memory of 2644 376 cmd.exe 90 PID 376 wrote to memory of 2644 376 cmd.exe 90 PID 376 wrote to memory of 2644 376 cmd.exe 90 PID 2172 wrote to memory of 1568 2172 b235e8de79b0191a83d3b49aa7048f40N.exe 91 PID 2172 wrote to memory of 1568 2172 b235e8de79b0191a83d3b49aa7048f40N.exe 91 PID 2172 wrote to memory of 1568 2172 b235e8de79b0191a83d3b49aa7048f40N.exe 91 PID 1568 wrote to memory of 4476 1568 lsass.exe 95 PID 1568 wrote to memory of 4476 1568 lsass.exe 95 PID 1568 wrote to memory of 4476 1568 lsass.exe 95 PID 1568 wrote to memory of 4476 1568 lsass.exe 95 PID 1568 wrote to memory of 4476 1568 lsass.exe 95 PID 1568 wrote to memory of 4476 1568 lsass.exe 95 PID 1568 wrote to memory of 4476 1568 lsass.exe 95 PID 1568 wrote to memory of 4476 1568 lsass.exe 95 PID 1568 wrote to memory of 2328 1568 lsass.exe 96 PID 1568 wrote to memory of 2328 1568 lsass.exe 96 PID 1568 wrote to memory of 2328 1568 lsass.exe 96 PID 1568 wrote to memory of 2328 1568 lsass.exe 96 PID 1568 wrote to memory of 2328 1568 lsass.exe 96 PID 1568 wrote to memory of 2328 1568 lsass.exe 96 PID 1568 wrote to memory of 2328 1568 lsass.exe 96 PID 2328 wrote to memory of 2732 2328 lsass.exe 97 PID 2328 wrote to memory of 2732 2328 lsass.exe 97 PID 2328 wrote to memory of 2732 2328 lsass.exe 97 PID 2328 wrote to memory of 2732 2328 lsass.exe 97 PID 2328 wrote to memory of 2732 2328 lsass.exe 97 PID 2328 wrote to memory of 2732 2328 lsass.exe 97 PID 2328 wrote to memory of 2732 2328 lsass.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\b235e8de79b0191a83d3b49aa7048f40N.exe"C:\Users\Admin\AppData\Local\Temp\b235e8de79b0191a83d3b49aa7048f40N.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Users\Admin\AppData\Local\Temp\b235e8de79b0191a83d3b49aa7048f40N.exe"C:\Users\Admin\AppData\Local\Temp\b235e8de79b0191a83d3b49aa7048f40N.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XXJRI.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Audio Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\lsass.exe" /f4⤵
- Adds Run key to start application
PID:2644
-
-
-
C:\Users\Admin\AppData\Roaming\system\lsass.exe"C:\Users\Admin\AppData\Roaming\system\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Users\Admin\AppData\Roaming\system\lsass.exe"C:\Users\Admin\AppData\Roaming\system\lsass.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4476
-
-
C:\Users\Admin\AppData\Roaming\system\lsass.exe"C:\Users\Admin\AppData\Roaming\system\lsass.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Users\Admin\AppData\Roaming\system\lsass.exe"C:\Users\Admin\AppData\Roaming\system\lsass.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
PID:2732
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
294B
MD5c03635e0314ab006236b1d48eca01a0a
SHA1a4197283876685d4d1a68f054c1c987be10184d0
SHA256d7bfb8fe53ac288c1ce872b84e60318c1ddd5dcab3006393815c29a15ff53a79
SHA51276d8fb1696390c2695c9ab52b0d5389842c896a3d57ccadbbcec821a7fd8cb2b4dc42d4a5a0248f02dd513986b4e668e5e1a471f5469b521d025db69e2cf8ed1
-
Filesize
146B
MD5c8cba0a9d4d5600b5f53c4c0681d1115
SHA10e5348e210ca70b2b0ffdc3ff7e6f611716df80c
SHA256ca2b63f6d7bf17480415ae93e115bf9f9699335e84e62719eefdbcc5a78bd2e1
SHA512a2ad6eb5ae2f6d57ca15363ac2f0c57ca3580474e94b9c010750948814cf4d5ffa0c3e7ef44634a3593da23f56011703ff220a3d7780f6f01785bf3b6676ced0
-
Filesize
84KB
MD5ced8a6b9c772cbae2196f6d00711e583
SHA127d61fb77feb9106725aa35ca38a25f0e8cd94fa
SHA256b39f1063dcc6b0923cca20db8075cbf30aad00dcbc2cf10772ae6425fa369cde
SHA512cb19e774ea0721c73bb2324ffa3c8cd880a944c91e2af8857dd7a46eed6ffcbaf2269a329f84c3ac2cf80cc26e80e9b34ad0d49e9f718a392a75fc6cd14a455d