Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22/07/2024, 23:28
Behavioral task
behavioral1
Sample
2b4abcd116797228509c1ad692478660N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2b4abcd116797228509c1ad692478660N.exe
Resource
win10v2004-20240709-en
General
-
Target
2b4abcd116797228509c1ad692478660N.exe
-
Size
59KB
-
MD5
2b4abcd116797228509c1ad692478660
-
SHA1
d7c5d6a867992dec236fa4f3ef69ad8a9693a809
-
SHA256
162a506435a80ab3109bd2bd9f829eaf8f228220ff350dd102db11c481dfc4fc
-
SHA512
d3e4ff58e60af702bb2bfcc297c3d3187758f576815a64a9a2a18d1eec1883a6e2f4c9303b809020ed880c761687b5520e4a337d15885630c3d6ecbfa81c0108
-
SSDEEP
1536:3+ZgwRdiE8cO4p1xRjfTvSq5r3ZiIZ4nouy8uh1aQ/:OeodiUO4p13b9HiIeoutuh1aQ/
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 2b4abcd116797228509c1ad692478660N.exe -
Executes dropped EXE 1 IoCs
pid Process 1684 AhnSvc.exe -
resource yara_rule behavioral2/memory/3092-0-0x0000000000BA0000-0x0000000000BC7000-memory.dmp upx behavioral2/files/0x0008000000023469-2.dat upx behavioral2/memory/1684-7-0x0000000000780000-0x00000000007A7000-memory.dmp upx behavioral2/memory/3092-9-0x0000000000BA0000-0x0000000000BC7000-memory.dmp upx behavioral2/memory/1684-10-0x0000000000780000-0x00000000007A7000-memory.dmp upx behavioral2/memory/1684-11-0x0000000000780000-0x00000000007A7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AhnUpadate = "\"C:\\ProgramData\\AhnLab\\AhnSvc.exe\" /run" 2b4abcd116797228509c1ad692478660N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3092 2b4abcd116797228509c1ad692478660N.exe Token: SeDebugPrivilege 1684 AhnSvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3092 wrote to memory of 1684 3092 2b4abcd116797228509c1ad692478660N.exe 86 PID 3092 wrote to memory of 1684 3092 2b4abcd116797228509c1ad692478660N.exe 86 PID 3092 wrote to memory of 1684 3092 2b4abcd116797228509c1ad692478660N.exe 86 PID 3092 wrote to memory of 1028 3092 2b4abcd116797228509c1ad692478660N.exe 87 PID 3092 wrote to memory of 1028 3092 2b4abcd116797228509c1ad692478660N.exe 87 PID 3092 wrote to memory of 1028 3092 2b4abcd116797228509c1ad692478660N.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b4abcd116797228509c1ad692478660N.exe"C:\Users\Admin\AppData\Local\Temp\2b4abcd116797228509c1ad692478660N.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\ProgramData\AhnLab\AhnSvc.exe"C:\ProgramData\AhnLab\AhnSvc.exe" /run2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\2b4abcd116797228509c1ad692478660N.exe" >> NUL2⤵PID:1028
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
59KB
MD5cad293713cfa486d2a38ada3ab179f8b
SHA1974ff01a4036e576e9cb1bafc04908facf4faaf6
SHA2567bda18f00b19c7542a756b8459b6c432492264adf79fa47e04103380535b2bc2
SHA512a44d7b1016ba8abb3dc36e9b534b196bf9824d1db351d13d1dfe902245bc650bf1949397eb88c7a08a315a2c70917f35c4ae323052ccb1822dcb3941c526ced0