Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03/08/2024, 07:27
Static task
static1
Behavioral task
behavioral1
Sample
6aebfb5f5633404634d1d1ffaa962820N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
6aebfb5f5633404634d1d1ffaa962820N.exe
Resource
win10v2004-20240802-en
General
-
Target
6aebfb5f5633404634d1d1ffaa962820N.exe
-
Size
29KB
-
MD5
6aebfb5f5633404634d1d1ffaa962820
-
SHA1
1c6fd52fc7726d4c7ac1597ed59874ffb3d2268f
-
SHA256
4f844ecae6ec1799c6dfd917f8da5f19fb863ed842a01e34a18db32147e04bf0
-
SHA512
2c385765be5df80b426029a31d16c52d0b5925b122e582f3cb706ce38e6a4ddc5cdf17dd6767b574d561d6b1cf880016fae1b5781dd413aefba19ebd0003284e
-
SSDEEP
384:v/4LNJY74JwOllSBQmrb0i5PrmqHIKpa54b5f0iws0wGXeE:v/qSamrxDmqoKM4Z0iwtwAZ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3152 2024080307.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6aebfb5f5633404634d1d1ffaa962820N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024080307.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 232 6aebfb5f5633404634d1d1ffaa962820N.exe 3152 2024080307.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 232 wrote to memory of 3152 232 6aebfb5f5633404634d1d1ffaa962820N.exe 81 PID 232 wrote to memory of 3152 232 6aebfb5f5633404634d1d1ffaa962820N.exe 81 PID 232 wrote to memory of 3152 232 6aebfb5f5633404634d1d1ffaa962820N.exe 81 PID 232 wrote to memory of 2220 232 6aebfb5f5633404634d1d1ffaa962820N.exe 83 PID 232 wrote to memory of 2220 232 6aebfb5f5633404634d1d1ffaa962820N.exe 83 PID 232 wrote to memory of 2220 232 6aebfb5f5633404634d1d1ffaa962820N.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\6aebfb5f5633404634d1d1ffaa962820N.exe"C:\Users\Admin\AppData\Local\Temp\6aebfb5f5633404634d1d1ffaa962820N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Users\Admin\AppData\Local\Temp\2024080307.exeC:\Users\Admin\AppData\Local\Temp\2024080307.exe down2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3152
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\del.bat2⤵
- System Location Discovery: System Language Discovery
PID:2220
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD5c7a3d1880d6a0a1a6ece4d9d3fcaa821
SHA172bf7deb94e59288b4a89b0abb7e4ab34a301b98
SHA256cdc8e0d9e3decf1b073fad1e0b1b8c5f588e50fa18b55dba0e6e5dc49b770390
SHA512e7ca99ba3f8325bcdc698a4d260590d9fd814ab8333084081a8e049b5b486dab26644b0525941d24140d47857f4508e1f1ae30bdfcb9240a67d9e573c44cdbf8
-
Filesize
174B
MD585865696552da793a4c8ed52ab95a174
SHA1f9a5acccda63787541dad36ecf2a5ee9f304c90a
SHA256b414467bd4a7043f2c4debda871dbe549eb129d3b180158aa4a32be22c00e53f
SHA512cae0f8a9fb082898b444283627cd8bd546acfaaf241278a7f6ba5e172de25e0f0b003bd51c0a712884e737fdce500d76516fb882589b1d7028acc238d209f07b