Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
101s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23/07/2024, 20:35
Static task
static1
Behavioral task
behavioral1
Sample
061d0c491d5c672cec51c3e499e3cb60N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
061d0c491d5c672cec51c3e499e3cb60N.exe
Resource
win10v2004-20240709-en
General
-
Target
061d0c491d5c672cec51c3e499e3cb60N.exe
-
Size
436KB
-
MD5
061d0c491d5c672cec51c3e499e3cb60
-
SHA1
39a52fdd2b769ed9217ce6b08f9bd2ef44149418
-
SHA256
74602e4cc9f25828cf5dc3b213c09e68cf95e15bfcf477bdba2b109c73cc0a79
-
SHA512
b003edaed30bb45b25772bf06564d11f7db751b6528dae1e762f4d5f0b6cbd02f18b132459a3a7b23a81687d0aff71dadae2e96c86c200cec837f99cf6de951c
-
SSDEEP
3072:sgsCs5apuKRZZ5AyFZG8iJAXnZqRhvQO3V+lzs+B0MwXMAsYmpmd/h1:sgE5awKTgyFZG8iCnZq3vXf80MUmpmr1
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 061d0c491d5c672cec51c3e499e3cb60N.exe -
Executes dropped EXE 1 IoCs
pid Process 1568 wininit32.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\wininit32.exe 061d0c491d5c672cec51c3e499e3cb60N.exe File opened for modification C:\Windows\SysWOW64\wininit32.exe 061d0c491d5c672cec51c3e499e3cb60N.exe File created C:\Windows\SysWOW64\wininit32.exe wininit32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 061d0c491d5c672cec51c3e499e3cb60N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininit32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1568 wininit32.exe 1568 wininit32.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1568 wininit32.exe 1568 wininit32.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1568 wininit32.exe 1568 wininit32.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1568 wininit32.exe 1568 wininit32.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 1568 wininit32.exe 1568 wininit32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1372 wrote to memory of 1568 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 87 PID 1372 wrote to memory of 1568 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 87 PID 1372 wrote to memory of 1568 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 87 PID 1372 wrote to memory of 972 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 89 PID 1372 wrote to memory of 972 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 89 PID 1372 wrote to memory of 972 1372 061d0c491d5c672cec51c3e499e3cb60N.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\061d0c491d5c672cec51c3e499e3cb60N.exe"C:\Users\Admin\AppData\Local\Temp\061d0c491d5c672cec51c3e499e3cb60N.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\wininit32.exeC:\Windows\system32\wininit32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1568
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r2720.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:972
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
237B
MD5ef92112e10d82a26d539504ca22eb7f0
SHA1d9f258316bccb6598dfd0d5befa7fc4761bbdfa3
SHA256e59a9babb55a4f4c23c5c6c59fe8da94d8c3207ff1c12c81329705d5c3be5fb4
SHA512d94dfdf053531344c71ce7b81e5fc0ee313e6d1558e8c8ae0ab7563920c36ea1f47298323a1cf86433f287fd0ed62e0a355049d2c44ffb6c621524963d16fd28
-
Filesize
455KB
MD5dace0512317e73876637f93af513c46b
SHA1432e5b3d804a13c1870f4f9e7a2fba6c880e2fcb
SHA2563c49eab4554684d1187313ad9ebe48d1bcdf4fc6fb294af3d2be0c3276a6d76e
SHA5125823b1adee993711d31edb7a5311dc4f2ba0e8bc422a10ac3cc2c58746f38fe2d429da04b8651e5b0f7bf85b38725d9bff4b9315cfcb45e3109e57d73536a7a9