Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11/08/2024, 19:00
Static task
static1
Behavioral task
behavioral1
Sample
168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9.exe
Resource
win10v2004-20240802-en
General
-
Target
168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9.exe
-
Size
7.0MB
-
MD5
9f45622774c7d19b96b520b37dc56055
-
SHA1
b33b3bf504155b47efa9a9f44dff88c2df03a6d2
-
SHA256
168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9
-
SHA512
f60523676f18ee42633fce9e40dd3e4ff8d2b1f855a9016c0c20023491424aa091a538022a938fba43ef7935c24d3384e8b7a713427ba71f0ae3ae206409defc
-
SSDEEP
98304:emhd1Uryey4MhYILo/erQMLeZrDV7wQqZUha5jtSyZIUbn:elfm8V92QbaZtliK
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3892 8ED2.tmp -
Executes dropped EXE 1 IoCs
pid Process 3892 8ED2.tmp -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8ED2.tmp -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4408 wrote to memory of 3892 4408 168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9.exe 86 PID 4408 wrote to memory of 3892 4408 168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9.exe 86 PID 4408 wrote to memory of 3892 4408 168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9.exe"C:\Users\Admin\AppData\Local\Temp\168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Users\Admin\AppData\Local\Temp\8ED2.tmp"C:\Users\Admin\AppData\Local\Temp\8ED2.tmp" --splashC:\Users\Admin\AppData\Local\Temp\168cd6fc355f8f629e8466375cf103eefe38193fa10908b39266aef9023436c9.exe CFA41273D38A0520103D3B14E92B6E159ADA98A00873CFE79031C2AEFD1488F932CFD4346970CC9B3CFBDF214E219DD236C7EB2A6C4AB5118A60E3E147EF4FDC2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3892
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.0MB
MD500b775694eb82bc6730d3caece5581bf
SHA177fe7c694c621ac0e4d59b5c53521de480e55006
SHA256d02fc7ab7f06e8e961bb2f9119a6ff118296859b7c6f75bb759f02f020ca6ce3
SHA512bb434664500a4eb1ae563c9bf5e211e7ca8cc6a368eac88278edbb2b309352d7c39c6a975dd39f4079aa85219fdab81c6943ba7ee6fa3962e5a19904d33992e2