Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
103s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
20/07/2024, 07:51
Static task
static1
Behavioral task
behavioral1
Sample
696dc28f0674f41742355b3f2e167270N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
696dc28f0674f41742355b3f2e167270N.exe
Resource
win10v2004-20240709-en
General
-
Target
696dc28f0674f41742355b3f2e167270N.exe
-
Size
39KB
-
MD5
696dc28f0674f41742355b3f2e167270
-
SHA1
8328d1843601bb6e4d44c70c7e156bd90f00913d
-
SHA256
b103827df422104e89b003c174c8442c879879b7ef886c943a3306b11f8d116f
-
SHA512
e544a7073a4df03b128c968d604f38774f67020a7f3921cf377ff4b3e5f2fdd05c9ccc5c3a764651480801d4eb4191a8f2eb3e2e58716bf9381d74cad4019971
-
SSDEEP
192:jEdMPnwR2bCL8KktnAs7lp1FHif+SjInE6rNr5TdWooAeXR/V49d444UefDSwpIX:jFPnwR2Ca1lpvH6dMtRe5/J0
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 696dc28f0674f41742355b3f2e167270N.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation gert.exe -
Executes dropped EXE 1 IoCs
pid Process 1660 gert.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2904 wrote to memory of 1660 2904 696dc28f0674f41742355b3f2e167270N.exe 87 PID 2904 wrote to memory of 1660 2904 696dc28f0674f41742355b3f2e167270N.exe 87 PID 2904 wrote to memory of 1660 2904 696dc28f0674f41742355b3f2e167270N.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\696dc28f0674f41742355b3f2e167270N.exe"C:\Users\Admin\AppData\Local\Temp\696dc28f0674f41742355b3f2e167270N.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\gert.exe"C:\Users\Admin\AppData\Local\Temp\gert.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:1660
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD5e6d545d3fec7aa2ed39ad316e42e6950
SHA1d09bbf30046083494d89c079f8ead2337afbc2d1
SHA25640695e976d5185428f901f1aecaedc2387fa00d44d3432dd62b357c60146400d
SHA512f769ef77ecbdd82f38739a1b8265534f6fff54e859d67a96e62038b95546953ef6c1a9c8536d442f153efe5af3957395b89b429b448db308c9bc5f83139cbc5d
-
Filesize
4KB
MD5b649bb4bbcec6444434d2df7501effb6
SHA1f8a04ac654e2234fa2644abf8e293d02bc01c8fd
SHA256c2779250c7e25bb12281a890f3ec61c3585c5bbad82fbbb55a3068191004fc4a
SHA5127265c870e9d51cd6f4936860ec4443ae21754634997be1294bd17c8cbe0c23dba56e730bcacecfa73f5b305fbefaf5b75e2747dfd3cd83cfe6b416ac8cc7ecf2