Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10/08/2024, 21:52
Behavioral task
behavioral1
Sample
58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd.exe
Resource
win7-20240704-en
General
-
Target
58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd.exe
-
Size
246KB
-
MD5
d7a82d875706d57720b3a35ea797290d
-
SHA1
9dbc048de8ea29ab951b08341fd141dcd317f78f
-
SHA256
58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd
-
SHA512
f8ecd8c34a84448291d99f0135811da9dedeb7aea6a25db19aa98ce6b4f9366959a57409f4549bb7d93678d6a4d35657822725227741b9e3d289b4526bfae2d8
-
SSDEEP
6144:FMooVQnnOBccnskYPmTpUxrr1XRA7WHxWoN+J0EafCUSYibN6WG8M:+QnO/s1mTpG5bUo4bafVibv3M
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation 58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd.exe -
resource yara_rule behavioral2/memory/1904-1-0x0000000000400000-0x0000000001C5B000-memory.dmp upx behavioral2/memory/1904-2-0x0000000000400000-0x0000000001C5B000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language systeminfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2428 cmd.exe 5000 PING.EXE -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 2720 systeminfo.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5000 PING.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1904 wrote to memory of 2428 1904 58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd.exe 86 PID 1904 wrote to memory of 2428 1904 58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd.exe 86 PID 1904 wrote to memory of 2428 1904 58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd.exe 86 PID 2428 wrote to memory of 2720 2428 cmd.exe 88 PID 2428 wrote to memory of 2720 2428 cmd.exe 88 PID 2428 wrote to memory of 2720 2428 cmd.exe 88 PID 2428 wrote to memory of 5000 2428 cmd.exe 92 PID 2428 wrote to memory of 5000 2428 cmd.exe 92 PID 2428 wrote to memory of 5000 2428 cmd.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd.exe"C:\Users\Admin\AppData\Local\Temp\58b1f237a3e815dc907cba9682543d1e4c6ddb3b05df16cef89a584a0c0761dd.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c systeminfo>>C:\Windows\temp\setup_gitlog.txt&ping 8.8.8.8>>C:\Windows\temp\setup_gitlog.txt2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\systeminfo.exesysteminfo3⤵
- System Location Discovery: System Language Discovery
- Gathers system information
PID:2720
-
-
C:\Windows\SysWOW64\PING.EXEping 8.8.8.83⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5000
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33B
MD5346bbdef8e66561ce4c33013160d7c75
SHA1023e40d5eb04b2d7e8346ea0c9a62b05d372abec
SHA256ce357dc9d96cbb6933f7895d5fee9052b72733c2db9fc32b1555761b1bd0c277
SHA512f2fd0412846455ee0f47f9e88192ea4c6ee60c3118be40a44c9b626566652ed46b1c3a0708a7ec6feba7a9cafc61091a2a1c6cb864a99a081bb842625040594f