Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
111s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
24/07/2024, 02:27
Behavioral task
behavioral1
Sample
3a98f49098a5bfbfada3220944312a30N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
3a98f49098a5bfbfada3220944312a30N.exe
Resource
win10v2004-20240709-en
General
-
Target
3a98f49098a5bfbfada3220944312a30N.exe
-
Size
63KB
-
MD5
3a98f49098a5bfbfada3220944312a30
-
SHA1
186ccb1e83a6a9f7085f25c0dbee520bb3c3f59f
-
SHA256
dfb6a42dab45fdb3b7d3e0a5951089a40a0151ba89aac9b23ab78b4b2196c495
-
SHA512
91531b1964cd25d8be86dd877f116eaa5af2673b890af3a61a67ad57cfb125fd508049895864606da6fc274fa79fcc2f5f2a38cae12f70ef7a7b43949fd8cd23
-
SSDEEP
1536:fvQoLHjw2iWPKMvw71oLyXQUUqnouy8YXuvooodwwwt111n:fv5Ls27BIJoLyXTUyoutYXCooodwwwth
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation 3a98f49098a5bfbfada3220944312a30N.exe -
Executes dropped EXE 1 IoCs
pid Process 4384 pwshost.exe -
resource yara_rule behavioral2/memory/4784-0-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/files/0x00090000000233d0-4.dat upx behavioral2/memory/4784-5-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/4384-6-0x0000000000400000-0x000000000040F000-memory.dmp upx -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Debug\pwshost.exe 3a98f49098a5bfbfada3220944312a30N.exe File opened for modification C:\Windows\Debug\pwshost.exe 3a98f49098a5bfbfada3220944312a30N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3a98f49098a5bfbfada3220944312a30N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pwshost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 pwshost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz pwshost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4784 3a98f49098a5bfbfada3220944312a30N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4784 wrote to memory of 1452 4784 3a98f49098a5bfbfada3220944312a30N.exe 88 PID 4784 wrote to memory of 1452 4784 3a98f49098a5bfbfada3220944312a30N.exe 88 PID 4784 wrote to memory of 1452 4784 3a98f49098a5bfbfada3220944312a30N.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a98f49098a5bfbfada3220944312a30N.exe"C:\Users\Admin\AppData\Local\Temp\3a98f49098a5bfbfada3220944312a30N.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3A98F4~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
PID:1452
-
-
C:\Windows\Debug\pwshost.exeC:\Windows\Debug\pwshost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:4384
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63KB
MD505eddfff3049e749878575f17dee4152
SHA1c2aa800db3a3260dd42e6c8162f55508675e52b3
SHA2566a13090d68e281169c2fc588aeb1ec109b735de8b1ca4eb7ef569da935f1d336
SHA512a5bc810849794fa9b9b5881fa9ea5242ed60da0ca6262ae8532cd326864e2cbad6b8bd9d92024d01e3e4a816fd40021672f2281e1f43bb5ab467629fc37fafb5