Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
111s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
25/07/2024, 21:08
Static task
static1
Behavioral task
behavioral1
Sample
08c44f3c0c5e903d7b1879b42987a260N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
08c44f3c0c5e903d7b1879b42987a260N.exe
Resource
win10v2004-20240709-en
General
-
Target
08c44f3c0c5e903d7b1879b42987a260N.exe
-
Size
28KB
-
MD5
08c44f3c0c5e903d7b1879b42987a260
-
SHA1
3e8c2031989724b9fa0445912eaedf0b96c8b2ca
-
SHA256
829b3923c5aa4522cc36b4b0fee7ca6c7d34c35a1966703fe1b9da1876822169
-
SHA512
cab94b0da2c038bc00cb3665f66bdea1e934e49f8a7ef0cd4cbefa197ba20c1dc4124422e4d266642ac7b5415c806a4d6c63886928cd74a9af5f790c3a0c21cf
-
SSDEEP
384:MqvAXxH6zoHAcIWed4+kSLqrXla7vvxlLjlFVVVV1dFFFFT:zWxMoHNed6a7DZrdFFFFT
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1720 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation 08c44f3c0c5e903d7b1879b42987a260N.exe -
Executes dropped EXE 1 IoCs
pid Process 2196 oqchost.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Debug\oqchost.exe 08c44f3c0c5e903d7b1879b42987a260N.exe File opened for modification C:\Windows\Debug\oqchost.exe attrib.exe File created C:\Windows\Debug\oqchost.exe 08c44f3c0c5e903d7b1879b42987a260N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08c44f3c0c5e903d7b1879b42987a260N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oqchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4740 08c44f3c0c5e903d7b1879b42987a260N.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4740 wrote to memory of 1720 4740 08c44f3c0c5e903d7b1879b42987a260N.exe 84 PID 4740 wrote to memory of 1720 4740 08c44f3c0c5e903d7b1879b42987a260N.exe 84 PID 4740 wrote to memory of 1720 4740 08c44f3c0c5e903d7b1879b42987a260N.exe 84 PID 4740 wrote to memory of 5048 4740 08c44f3c0c5e903d7b1879b42987a260N.exe 90 PID 4740 wrote to memory of 5048 4740 08c44f3c0c5e903d7b1879b42987a260N.exe 90 PID 4740 wrote to memory of 5048 4740 08c44f3c0c5e903d7b1879b42987a260N.exe 90 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1720 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\08c44f3c0c5e903d7b1879b42987a260N.exe"C:\Users\Admin\AppData\Local\Temp\08c44f3c0c5e903d7b1879b42987a260N.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\attrib.exeattrib +a +s +h +r C:\Windows\Debug\oqchost.exe2⤵
- Sets file to hidden
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1720
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\08C44F~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
PID:5048
-
-
C:\Windows\Debug\oqchost.exeC:\Windows\Debug\oqchost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2196
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD54ba8a1617a83c185167b66dc5db79844
SHA1ee1e367af2f9ab9b2390554334d685f29f619c3a
SHA256819d74cbb258030bfd95ea22d8fd6064f6e919fef25a65e3bd97bfc5e3c2bcec
SHA5121a03d730d73449aca03d8cdf74719d489689668d56a030e66265792a6c11d90433df3ac95e059b9b7f3edcb5b458310aee2078afb34972cc12f6a1d1a1776c86