Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
104s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26/07/2024, 02:53
Static task
static1
Behavioral task
behavioral1
Sample
5e1b3c0da52690da1e46301d2fcb0800N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
5e1b3c0da52690da1e46301d2fcb0800N.exe
Resource
win10v2004-20240709-en
General
-
Target
5e1b3c0da52690da1e46301d2fcb0800N.exe
-
Size
42KB
-
MD5
5e1b3c0da52690da1e46301d2fcb0800
-
SHA1
83f4f49b0cedd49f4456d435bc4eadf7e4c5d2a1
-
SHA256
99cd998a479156e669d097a7420229d2c8b7c9671b5efe1d2cedc4c0635c4637
-
SHA512
97ccc7867d958258c7882ef4cc8a5b0366717bccbd013363509c5d90f6a472e157a888ac9c22e20b0ef423e5942b3c03897444f71f52197328b05d49c6987225
-
SSDEEP
384:I8/JYSrFQjGezfNHP1zZYpMYUzMk9hBcecy0rtKqhMa82c7ky435/tVcOOVo:F/3ed1zZN/zoy0rt/Mdn43RvcOx
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation 5e1b3c0da52690da1e46301d2fcb0800N.exe -
Executes dropped EXE 1 IoCs
pid Process 1004 update_pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5e1b3c0da52690da1e46301d2fcb0800N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language update_pdf.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3724 wrote to memory of 1004 3724 5e1b3c0da52690da1e46301d2fcb0800N.exe 84 PID 3724 wrote to memory of 1004 3724 5e1b3c0da52690da1e46301d2fcb0800N.exe 84 PID 3724 wrote to memory of 1004 3724 5e1b3c0da52690da1e46301d2fcb0800N.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e1b3c0da52690da1e46301d2fcb0800N.exe"C:\Users\Admin\AppData\Local\Temp\5e1b3c0da52690da1e46301d2fcb0800N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Users\Admin\AppData\Local\Temp\update_pdf.exe"C:\Users\Admin\AppData\Local\Temp\update_pdf.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1004
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42KB
MD5e1afc8810d6ef3935088a323cf212978
SHA1223da5efdbaaf1e93ca9bf89ec786203ae4d914b
SHA256908dfca953f5a95039f264be53796152f524a09defa39a9cdd8482b025d5b173
SHA5125e193582c0479e5cbf23098d311fa32eb8718ae7b4db0283c8dc648cd89d0f6dfa0ee5ce82db38713656c564511e9f799a24d17e3f3435ffb9d1aa45e667af07