Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22/07/2024, 03:54
Static task
static1
Behavioral task
behavioral1
Sample
57ae89b30d5c863b39239b7205c58a90N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
57ae89b30d5c863b39239b7205c58a90N.exe
Resource
win10v2004-20240709-en
General
-
Target
57ae89b30d5c863b39239b7205c58a90N.exe
-
Size
93KB
-
MD5
57ae89b30d5c863b39239b7205c58a90
-
SHA1
e9822712c25940f47838285bdce7ffdf77eabf40
-
SHA256
1afb2ed8f468819ae11f4c24d82c73e059fa301415ad6decc25b0b9a7e87a6e1
-
SHA512
29406829cffdf30693daec1f51da1bb333786d9806ae4425a0d11b9fb42417f265e70ff4dcb6919f1baca5102bf6540bf26d05290c85ac511dfaff71f3b796bb
-
SSDEEP
1536:PGYU/W2/HG6QMauSV3ixJHABLrmhH7i9CO+WHg7zRZICrWaGZh7L:PfU/WF6QMauSuiWNi9CO+WARJrWNZ1
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation 57ae89b30d5c863b39239b7205c58a90N.exe -
Executes dropped EXE 1 IoCs
pid Process 4816 wuauclt.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\wuauclt.exe\" /run" 57ae89b30d5c863b39239b7205c58a90N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5072 wrote to memory of 4816 5072 57ae89b30d5c863b39239b7205c58a90N.exe 84 PID 5072 wrote to memory of 4816 5072 57ae89b30d5c863b39239b7205c58a90N.exe 84 PID 5072 wrote to memory of 4816 5072 57ae89b30d5c863b39239b7205c58a90N.exe 84 PID 5072 wrote to memory of 4696 5072 57ae89b30d5c863b39239b7205c58a90N.exe 96 PID 5072 wrote to memory of 4696 5072 57ae89b30d5c863b39239b7205c58a90N.exe 96 PID 5072 wrote to memory of 4696 5072 57ae89b30d5c863b39239b7205c58a90N.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\57ae89b30d5c863b39239b7205c58a90N.exe"C:\Users\Admin\AppData\Local\Temp\57ae89b30d5c863b39239b7205c58a90N.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\ProgramData\Update\wuauclt.exe"C:\ProgramData\Update\wuauclt.exe" /run2⤵
- Executes dropped EXE
PID:4816
-
-
C:\windows\SysWOW64\cmd.exe"C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\57ae89b30d5c863b39239b7205c58a90N.exe" >> NUL2⤵PID:4696
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD59e8ee3799fe9bdef37b82291e35dceea
SHA17d38e094affa4a20aaca833b21001feec306a063
SHA256591ef1e6fa19bb7956ed14127ed4fe872ee4693d9b95c838e29d47e7ab302132
SHA51242780e96376f27e23924139d86114b2855b31aa90e336530825bbe381e002fc68f800bb04617f8db5d1807530d2a89b4ee1cb579d474303a70030ed6be447e6a