Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

4

Static

static

3

0029d4cef8...0N.exe

windows7-x64

4

0029d4cef8...0N.exe

windows10-2004-x64

4

Analysis

  • max time kernel
    94s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/08/2024, 20:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0029d4cef8c491684ffcc733edf41560N.exe

  • Size

    90KB

  • MD5

    0029d4cef8c491684ffcc733edf41560

  • SHA1

    71e9340b66c324a128f1b32df20a67766f5da299

  • SHA256

    4f42d57faf56efc851bdf84f4c50786b431be91d7ba8422ab67807e0a66737f0

  • SHA512

    15f8217a955e872e2b9e7503ab5853b2c406903488048142ff275bd390022f1e6cf5fb6f83a4c53b5f98a9ecb00a499bc8ab01640befa1fc51b2ebf6d6de6fec

  • SSDEEP

    1536:wQWLl4DvFqc0kBTC92u3P4de9HjZA625DmgfKRvfDhdP:+JoQc0mu/3PTH1AbDmgfKDh1

Score
4/10
discovery

Malware Config

Signatures

  • Drops file in Program Files directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 38 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0029d4cef8c491684ffcc733edf41560N.exe
    "C:\Users\Admin\AppData\Local\Temp\0029d4cef8c491684ffcc733edf41560N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~9AF8.bat "C:\Users\Admin\AppData\Local\Temp\0029d4cef8c491684ffcc733edf41560N.exe"
      2⤵
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3560
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}"
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:1672
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}" /v "InfoTip" /t REG_SZ /d "╠╘▒ª╣║╬∩╠╪╝█╙┼╗▌╟°" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:1320
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}" /v "LocalizedString" /t REG_SZ /d "╠╘▒ª-╣║╬∩" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:3360
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon"
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:3628
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "C:\Program Files\Internet Explorer\iedw.ico" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:3320
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32"
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:2952
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:3732
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:1868
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell"
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:2896
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell" /ve /t REG_SZ /d "╠╘▒ª-╣║╬∩(&H)" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:4692
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:2916
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)" /v "MUIVerb" /t REG_SZ /d "┐¬╩╝╣║╬∩" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:2968
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command"
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:1356
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://taobao.taohee.com/?1" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:3128
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder"
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:1240
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:1836
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:1632
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:1236
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:1692

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\QQ.lnk
    Filesize

    636B

    MD5

    7408b1be46f0598d4e1f21d1a5d6252c

    SHA1

    aed5f86bf363521c910bbfd0614e8fb658600509

    SHA256

    128674b55407f9925bff787a97370f1bd8b0d29add8146056f810e06703e9214

    SHA512

    c9f8c46a13dd0e4ca2bd8946533b6dffdaa88239e9011e201c0d1dc6177fb09cbe913a38651eb1bfee69e1ae3dd0deca42e5a774fd909503a3113850b3d85615

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\~9AF8.bat
    Filesize

    2KB

    MD5

    7009a7eef740e60e8a82ed95f73533ca

    SHA1

    152824f5a0782d9cdd13346c77e02f1803bc31ae

    SHA256

    c75b7f6dbb633d810de7ebfac3be615f66c712d54423e2ba097fa22b0439b1ff

    SHA512

    e6e3d9b84db4ab651fea7376fd4957f2daf6be87c38cfc463881d035a770be590c7639480c658bcaa4fa0beaddd49b8bd0bb8d64ae151bc224bd1dcf6fad734d

    Download Submit

  • C:\Users\Admin\AppData\Local\iedw.ico
    Filesize

    14KB

    MD5

    468fada123f5548ac87e57bae81f6782

    SHA1

    edb8f012c25906e6afd8bf335b495e16c440243d

    SHA256

    091c882bb307d57f2c7c42309e7ba8740130fef8c3ed772b0bc5e5505e37034d

    SHA512

    635ec26c88c2394dd4f2a81b9aea8f429a91adfeb37ae34e51b03f3cf8e503c123c3685938f40cea07d6146e0c7113aadbe62fa528f1f6d8b995e617fd68a4aa

    Download Submit

  • memory/3048-13-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download