Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
111s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
27/07/2024, 01:22
Static task
static1
Behavioral task
behavioral1
Sample
796d5fd43f61d0aa651c36d3319a2430N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
796d5fd43f61d0aa651c36d3319a2430N.exe
Resource
win10v2004-20240709-en
General
-
Target
796d5fd43f61d0aa651c36d3319a2430N.exe
-
Size
97KB
-
MD5
796d5fd43f61d0aa651c36d3319a2430
-
SHA1
1811e71f462857ec98c27ef86e45dcdeb1eff0ae
-
SHA256
66c3f4fdab0b40e546042e39736780936d3a80f5f04d563a4c3b007b72e3edcc
-
SHA512
910acd2cdf73278514be544e0b30060ec3dc4c1a3c7ce2e84e267242b65fa5d2d060012409243cd41aacbbb62f9c2fd3b30e938141915ffd9462bbbfc2c0f764
-
SSDEEP
1536:iF0AJzLopHG9aa+9qX3apJoAKWYr0vcioyjp2RXKTzRZICrWaGZh7e:iiApLN9aa+9U2EWyipjp2R6JJrWNZ4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3352 WwanSvc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run" 796d5fd43f61d0aa651c36d3319a2430N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 796d5fd43f61d0aa651c36d3319a2430N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WwanSvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2288 wrote to memory of 3352 2288 796d5fd43f61d0aa651c36d3319a2430N.exe 87 PID 2288 wrote to memory of 3352 2288 796d5fd43f61d0aa651c36d3319a2430N.exe 87 PID 2288 wrote to memory of 3352 2288 796d5fd43f61d0aa651c36d3319a2430N.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\796d5fd43f61d0aa651c36d3319a2430N.exe"C:\Users\Admin\AppData\Local\Temp\796d5fd43f61d0aa651c36d3319a2430N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\ProgramData\Update\WwanSvc.exe"C:\ProgramData\Update\WwanSvc.exe" /run2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3352
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD57e94fc08be88ff2aa19186d5abc0c027
SHA1aca335b57dbc5b9aacc1884ec7385d88c0d3f6af
SHA2564ed074b4fd5d6fdfdb21b30319efcde894921360aa277ebce18c12cc84e02737
SHA51251e6301d68ced41c87977d467a76e853aa7b8d0725e4fea021e6d869e1129b0327f1a8c99656f3e895991bf590cac1450a4e795242d0994cddefeedb2e113d3e