Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
112s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
01/08/2024, 21:35
Static task
static1
Behavioral task
behavioral1
Sample
0674157bfbdc51d631ef469f2234e2b0N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
0674157bfbdc51d631ef469f2234e2b0N.exe
Resource
win10v2004-20240730-en
General
-
Target
0674157bfbdc51d631ef469f2234e2b0N.exe
-
Size
56KB
-
MD5
0674157bfbdc51d631ef469f2234e2b0
-
SHA1
e6abb37e411e766202a33b0ff11215e1fa9313b4
-
SHA256
b02fed112abb4b3528975f26708bc361c531e1df31fc39cdb1acdc04c2bbaead
-
SHA512
df5ff2b26c22d14971fa67447fd2f70b5b34bd5722e8a9dfed0cbb418ba5ef5079f7e085cc4a3f476aacfe70da8c257eecd920368f66b7248380ada9845b28ee
-
SSDEEP
384:asjPGY2HXgrkEYYhQ98E8I1XAV/QcaYpATUgch1A9NB/erxlFIQ:aePG5H8XhKD8ISZQjkgs1lxlFd
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Control Panel\International\Geo\Nation 0674157bfbdc51d631ef469f2234e2b0N.exe -
Executes dropped EXE 1 IoCs
pid Process 4256 winupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0674157bfbdc51d631ef469f2234e2b0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2148 wrote to memory of 4256 2148 0674157bfbdc51d631ef469f2234e2b0N.exe 84 PID 2148 wrote to memory of 4256 2148 0674157bfbdc51d631ef469f2234e2b0N.exe 84 PID 2148 wrote to memory of 4256 2148 0674157bfbdc51d631ef469f2234e2b0N.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\0674157bfbdc51d631ef469f2234e2b0N.exe"C:\Users\Admin\AppData\Local\Temp\0674157bfbdc51d631ef469f2234e2b0N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\winupdate.exe"C:\Users\Admin\AppData\Local\Temp\winupdate.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4256
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD5116b4a3e0a6ca6d728a6973066f5ebbd
SHA10c0289198bc262d6cc7379a974e6887c854808a6
SHA2560a305ed82edec8a7ecc16054d463371dc57eef2f57983df53c4016e838256c50
SHA512079451082ab02727562f804fdee5c928c101b36f65ca0abc6823632b0328db1a076f7b1a55c3dccb0de82385bbd862e85b838d04bbe93d8189d890b6d2139b04