Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    101s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/07/2024, 20:35

General

  • Target

    061d0c491d5c672cec51c3e499e3cb60N.exe

  • Size

    436KB

  • MD5

    061d0c491d5c672cec51c3e499e3cb60

  • SHA1

    39a52fdd2b769ed9217ce6b08f9bd2ef44149418

  • SHA256

    74602e4cc9f25828cf5dc3b213c09e68cf95e15bfcf477bdba2b109c73cc0a79

  • SHA512

    b003edaed30bb45b25772bf06564d11f7db751b6528dae1e762f4d5f0b6cbd02f18b132459a3a7b23a81687d0aff71dadae2e96c86c200cec837f99cf6de951c

  • SSDEEP

    3072:sgsCs5apuKRZZ5AyFZG8iJAXnZqRhvQO3V+lzs+B0MwXMAsYmpmd/h1:sgE5awKTgyFZG8iCnZq3vXf80MUmpmr1

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\061d0c491d5c672cec51c3e499e3cb60N.exe
    "C:\Users\Admin\AppData\Local\Temp\061d0c491d5c672cec51c3e499e3cb60N.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1372
    • C:\Windows\SysWOW64\wininit32.exe
      C:\Windows\system32\wininit32.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1568
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r2720.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\r2720.bat

    Filesize

    237B

    MD5

    ef92112e10d82a26d539504ca22eb7f0

    SHA1

    d9f258316bccb6598dfd0d5befa7fc4761bbdfa3

    SHA256

    e59a9babb55a4f4c23c5c6c59fe8da94d8c3207ff1c12c81329705d5c3be5fb4

    SHA512

    d94dfdf053531344c71ce7b81e5fc0ee313e6d1558e8c8ae0ab7563920c36ea1f47298323a1cf86433f287fd0ed62e0a355049d2c44ffb6c621524963d16fd28

  • C:\Windows\SysWOW64\wininit32.exe

    Filesize

    455KB

    MD5

    dace0512317e73876637f93af513c46b

    SHA1

    432e5b3d804a13c1870f4f9e7a2fba6c880e2fcb

    SHA256

    3c49eab4554684d1187313ad9ebe48d1bcdf4fc6fb294af3d2be0c3276a6d76e

    SHA512

    5823b1adee993711d31edb7a5311dc4f2ba0e8bc422a10ac3cc2c58746f38fe2d429da04b8651e5b0f7bf85b38725d9bff4b9315cfcb45e3109e57d73536a7a9

  • memory/1372-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1372-10-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1568-12-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB