Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17/08/2024, 05:58
Static task
static1
Behavioral task
behavioral1
Sample
3f221ec7bfaddef6408ec390f55f0a20N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
3f221ec7bfaddef6408ec390f55f0a20N.exe
Resource
win10v2004-20240802-en
General
-
Target
3f221ec7bfaddef6408ec390f55f0a20N.exe
-
Size
11KB
-
MD5
3f221ec7bfaddef6408ec390f55f0a20
-
SHA1
f8b94fb3a928f0b90f802d0bfc09f39e5ebe41c1
-
SHA256
0576d4515f0ae1262a0a5d03d0e3fa7d37ce1f15e0aee73bce878286f2d9ce43
-
SHA512
1769d076660e141b2cd46f12f98f3cf693415d2ca98ed431a12356214a34d63ca1be9020ec0cf1cb26514d2c4c6a78f1ef858ba0e5473f28ee137cf9b6aba2f3
-
SSDEEP
192:Zg6eHLE5KxkDpnqKjIdtaCRYvRtCk1rE1Ty68A3CuYYpZ7E:G6eHIAx0pqNgHvRtoyhASuYYpZ7E
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation 3f221ec7bfaddef6408ec390f55f0a20N.exe -
Executes dropped EXE 1 IoCs
pid Process 2064 xplorer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xplorer = "C:\\Windows\\xplorer\\xplorer.exe" reg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\xplorer\xplorer.exe 3f221ec7bfaddef6408ec390f55f0a20N.exe File opened for modification C:\Windows\xplorer\xplorer.exe 3f221ec7bfaddef6408ec390f55f0a20N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3f221ec7bfaddef6408ec390f55f0a20N.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe Token: SeDebugPrivilege 2064 xplorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3440 3f221ec7bfaddef6408ec390f55f0a20N.exe 2064 xplorer.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3440 wrote to memory of 2308 3440 3f221ec7bfaddef6408ec390f55f0a20N.exe 90 PID 3440 wrote to memory of 2308 3440 3f221ec7bfaddef6408ec390f55f0a20N.exe 90 PID 3440 wrote to memory of 2308 3440 3f221ec7bfaddef6408ec390f55f0a20N.exe 90 PID 2308 wrote to memory of 3060 2308 cmd.exe 93 PID 2308 wrote to memory of 3060 2308 cmd.exe 93 PID 2308 wrote to memory of 3060 2308 cmd.exe 93 PID 3440 wrote to memory of 2064 3440 3f221ec7bfaddef6408ec390f55f0a20N.exe 94 PID 3440 wrote to memory of 2064 3440 3f221ec7bfaddef6408ec390f55f0a20N.exe 94 PID 3440 wrote to memory of 2064 3440 3f221ec7bfaddef6408ec390f55f0a20N.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f221ec7bfaddef6408ec390f55f0a20N.exe"C:\Users\Admin\AppData\Local\Temp\3f221ec7bfaddef6408ec390f55f0a20N.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQGUP.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "xplorer" /t REG_SZ /d "C:\Windows\xplorer\xplorer.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3060
-
-
-
C:\Windows\xplorer\xplorer.exe"C:\Windows\xplorer\xplorer.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2064
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124B
MD54e6e99d38b1264af2b53a68c7cd6d648
SHA155ffe17732d1d9c539d702a1311ef9674fe7b3cf
SHA256168d9cdf4849fde3b4817db207e60934b6c877be439289f3fb3a4eb9e4326ff0
SHA512bde21abed1bfc3dbdd6afc83614aa27c3f33dfbb434e139523ac57ecd84875b0e96a241f5828eda0b055f787ec7f95850b0f4ab0ee752ac36484b2bfd78a859d
-
Filesize
11KB
MD591f775d4c83ad574e30d8f830c1ac6d2
SHA100dc18a1ae46404e1c17af7e5d0bdd5cab6a33df
SHA2563d527c7629cdfb8b978f883a3e2fb92b32c2db83c82ad29047e3fbb31d6dfa31
SHA512a454af8971ac51b2cea2a1680debe69a5bc0fd0764409af2cc63ef5a12c0269489ce6a777482aa33e449cf69b6edc4d9e4eb8417786f84b70c7a262b8e26dc13