Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26/07/2024, 06:04
Static task
static1
Behavioral task
behavioral1
Sample
cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe
Resource
win7-20240704-en
General
-
Target
cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe
-
Size
336KB
-
MD5
785a5215521aebe5a451ea71a9b08584
-
SHA1
f84373aea04589873857b5ea2023d9e95f9c32a0
-
SHA256
cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605
-
SHA512
752d5fa610fa49e6c13596a61295cb0beeefffc593ce5369719be9255f9d4a70896bfc10e6b244df526ab68b5d8ed4e1bc15dbcbb610ec0bf8f663a58ebf76a7
-
SSDEEP
6144:GLtOexihqv4m+lXD6betiTuBMTWjIDIiUBAkW9UOKMOtzWO8CatspddODi9w:GL1D+IatauBML42MykRa6p6
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation kozax.exe Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation zobiij.exe -
Executes dropped EXE 3 IoCs
pid Process 2940 kozax.exe 3504 zobiij.exe 4112 risoh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kozax.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zobiij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language risoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe 4112 risoh.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4364 wrote to memory of 2940 4364 cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe 84 PID 4364 wrote to memory of 2940 4364 cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe 84 PID 4364 wrote to memory of 2940 4364 cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe 84 PID 4364 wrote to memory of 5116 4364 cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe 85 PID 4364 wrote to memory of 5116 4364 cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe 85 PID 4364 wrote to memory of 5116 4364 cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe 85 PID 2940 wrote to memory of 3504 2940 kozax.exe 87 PID 2940 wrote to memory of 3504 2940 kozax.exe 87 PID 2940 wrote to memory of 3504 2940 kozax.exe 87 PID 3504 wrote to memory of 4112 3504 zobiij.exe 108 PID 3504 wrote to memory of 4112 3504 zobiij.exe 108 PID 3504 wrote to memory of 4112 3504 zobiij.exe 108 PID 3504 wrote to memory of 3100 3504 zobiij.exe 109 PID 3504 wrote to memory of 3100 3504 zobiij.exe 109 PID 3504 wrote to memory of 3100 3504 zobiij.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe"C:\Users\Admin\AppData\Local\Temp\cf43ef710b6ea0380fbb414b1a9961d4aeed969b8dcb4241c8f3c7f75b5d1605.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Users\Admin\AppData\Local\Temp\kozax.exe"C:\Users\Admin\AppData\Local\Temp\kozax.exe" hi2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\zobiij.exe"C:\Users\Admin\AppData\Local\Temp\zobiij.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Users\Admin\AppData\Local\Temp\risoh.exe"C:\Users\Admin\AppData\Local\Temp\risoh.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4112
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:3100
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:5116
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5d7581919afe46a28bbcdc6e987968c0c
SHA129bbf6af4f4d8913d9da46dfacbd578921272cc4
SHA25670d70c1b1d4d778430c904fdff9f6c9301126c8d9482c5c4aa777fc9b4771df5
SHA512348105ab8f6aa2d9c95ece270574de4d57fd845991d045daf7c4c0682f220a79210ab9d127beb24cb4059310b6e3af8a4d99f0a606c913a5cac859eef533969b
-
Filesize
224B
MD57f9a8299d2db5361e4bb0d66a577cecd
SHA160f42cbeedaeac6061355739a6d5235774c88d49
SHA25696f88ffe17b1e97f758f3f5141b3548f494006ea865db080ac35a779000de962
SHA51259b38493003794c34bbc0eb84b28b8d27825e1aaef78a2181569f07b68966140b4977cb575df751c95d16fe714b1b502c415b368a8052830bcbdc0e20a54b415
-
Filesize
512B
MD5896dfeadafd9acbbf34dcc5108195005
SHA1cf0c3bb75671f13bac3b1756fa117962aabeab5d
SHA2568da07934a5b4d5817f3b786d5d52e055dcc507e3ad4bfe50460fa6603e328413
SHA5127446e246bd08c03da634e2e6213b4eed55305d4db7ceb45f84b5f3434799fd2285cde48b9e5d8a7b269a901a5f621af92431151e68a6a8c464a1ad7285d25e3f
-
Filesize
336KB
MD5f833854b181789cd6d6d2ad7c1c1bda4
SHA1cf10aa8f2eb36b47eeea63d5576ad7f8e4e35dd6
SHA256c6ec26847855de87dddb3ff7d345cd188aca2e91484dcb9acfd582e24be9c92d
SHA512e27ef972e4cab32c1011afe89f98ab8b5c65a84003b501109a1c3a9c03aacf5d3fbf03b53e1c78738cfc1a5e805dd7533a52c53d89f253e0d0f9ce711c0f1a6f
-
Filesize
223KB
MD5d6a30aa9c8f7c87843979bb70035f006
SHA173a85040bd04262dea1c2a9ccac350430fcd50bd
SHA256ea02049650131ed35f44f4de3bd491872bf173453d56ce3004b581815dc392b3
SHA5122d3630cd0d9d68e526c9670ebff3e3651cad4cce15dd5e7390dc58474cbf7b9fb88b05ce3761831c96e5ba6229449d29971f7c5c984fa08830d4dd9dd281f69b
-
Filesize
337KB
MD5c5ba752500fd4fdf68d8e46174b9b8a3
SHA1ef6be9cf8dfb2bd6524d0d7d558b42a54b4e4e32
SHA2569f6d3a86d9043ddb6c9d8213debab64e8d9b9fe29bc5ad645928c3b89eabe5a3
SHA512fc0b42c028d40625145cea2b67bfcff8171dd820e5c89cd2406c464a4e4f02b8d366a5fda2f7ed6a933a2113e7f6ddb70a0a7ab53964c5b54366b9b301d2c20e