Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
19/07/2024, 01:07
Behavioral task
behavioral1
Sample
12d1020017fff59c924e555b2045ddc0.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
12d1020017fff59c924e555b2045ddc0.exe
Resource
win10v2004-20240709-en
General
-
Target
12d1020017fff59c924e555b2045ddc0.exe
-
Size
27KB
-
MD5
12d1020017fff59c924e555b2045ddc0
-
SHA1
6c4a77d49f82bf9d35aef64fe56b0e5f889a5783
-
SHA256
13015a7268aa6a75597940c60c0361bd7fca6fc60223c95fc10c5274fa3fd3eb
-
SHA512
18694c005420d0bfcb20dcff7cb395723fb54604df291a3e830331b48ffd1010412c398372fcf5e912b1ec9ae7b0f571a1448f622a870917d993c0c8c5d03eaf
-
SSDEEP
384:aGpN5/SfmVoonJWpSu+Ip7JLyaBOEj63eVi06MCLGuiLKaPqS1m:fhZSoEpnp7JLyWWElhCSujaPS
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation 12d1020017fff59c924e555b2045ddc0.exe -
Executes dropped EXE 1 IoCs
pid Process 3984 hhcbrnaff.exe -
resource yara_rule behavioral2/memory/1576-0-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/files/0x0009000000023459-13.dat upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1576 wrote to memory of 3984 1576 12d1020017fff59c924e555b2045ddc0.exe 85 PID 1576 wrote to memory of 3984 1576 12d1020017fff59c924e555b2045ddc0.exe 85 PID 1576 wrote to memory of 3984 1576 12d1020017fff59c924e555b2045ddc0.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\12d1020017fff59c924e555b2045ddc0.exe"C:\Users\Admin\AppData\Local\Temp\12d1020017fff59c924e555b2045ddc0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe"C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe"2⤵
- Executes dropped EXE
PID:3984
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27KB
MD544cc7bd2f7b4ef51a984d9469937cb24
SHA10bc057d8ec1c9ffff75cf49e88e5604e7703b902
SHA25693854ade59389290fcf2947ad4b36ac3fd101dd241586921b6d8a5380af0c49e
SHA512f3add3244c6a7ef3a5c7911ae884c6ff5494615a41b17171de6af3513f4ecc558a4b1f9ec1530a92dddbff751678cd6301ce663bb590746a95f78a2dc58a7cea