Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/07/2024, 23:28

General

  • Target

    2b4abcd116797228509c1ad692478660N.exe

  • Size

    59KB

  • MD5

    2b4abcd116797228509c1ad692478660

  • SHA1

    d7c5d6a867992dec236fa4f3ef69ad8a9693a809

  • SHA256

    162a506435a80ab3109bd2bd9f829eaf8f228220ff350dd102db11c481dfc4fc

  • SHA512

    d3e4ff58e60af702bb2bfcc297c3d3187758f576815a64a9a2a18d1eec1883a6e2f4c9303b809020ed880c761687b5520e4a337d15885630c3d6ecbfa81c0108

  • SSDEEP

    1536:3+ZgwRdiE8cO4p1xRjfTvSq5r3ZiIZ4nouy8uh1aQ/:OeodiUO4p13b9HiIeoutuh1aQ/

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b4abcd116797228509c1ad692478660N.exe
    "C:\Users\Admin\AppData\Local\Temp\2b4abcd116797228509c1ad692478660N.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3092
    • C:\ProgramData\AhnLab\AhnSvc.exe
      "C:\ProgramData\AhnLab\AhnSvc.exe" /run
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1684
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\2b4abcd116797228509c1ad692478660N.exe" >> NUL
      2⤵
        PID:1028

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\AhnLab\AhnSvc.exe

      Filesize

      59KB

      MD5

      cad293713cfa486d2a38ada3ab179f8b

      SHA1

      974ff01a4036e576e9cb1bafc04908facf4faaf6

      SHA256

      7bda18f00b19c7542a756b8459b6c432492264adf79fa47e04103380535b2bc2

      SHA512

      a44d7b1016ba8abb3dc36e9b534b196bf9824d1db351d13d1dfe902245bc650bf1949397eb88c7a08a315a2c70917f35c4ae323052ccb1822dcb3941c526ced0

    • memory/1684-7-0x0000000000780000-0x00000000007A7000-memory.dmp

      Filesize

      156KB

    • memory/1684-10-0x0000000000780000-0x00000000007A7000-memory.dmp

      Filesize

      156KB

    • memory/1684-11-0x0000000000780000-0x00000000007A7000-memory.dmp

      Filesize

      156KB

    • memory/3092-0-0x0000000000BA0000-0x0000000000BC7000-memory.dmp

      Filesize

      156KB

    • memory/3092-9-0x0000000000BA0000-0x0000000000BC7000-memory.dmp

      Filesize

      156KB