Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

43fae6a60d...cd.exe

windows7-x64

7

43fae6a60d...cd.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/08/2024, 05:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43fae6a60dffcc47045c6f132d41ec77db2134dc825c35d1bf3abeb7210226cd.exe

  • Size

    5.0MB

  • MD5

    6d7b8f5bfd03d8fdacebd97ea437b559

  • SHA1

    d7b3a1bcd0b1cda98805165e726cc8716d86c1f4

  • SHA256

    43fae6a60dffcc47045c6f132d41ec77db2134dc825c35d1bf3abeb7210226cd

  • SHA512

    12b15265295f1e7fbb4a1e75a43ac2fa9e988526724032fd20d2053ab47832488759b0be8e562be391ddecc2eab4d3ec98279e825e6cfcc73b356093a6a53ca6

  • SSDEEP

    98304:NcFiJETrDllPOOCrbAyNa0hdvV8Y288tjxGjQ/cshPyBe+Rr0NuTBpVY:jJSDbPOEodvO88tjxGjQEsae+5ntY

Score
7/10
defense_evasiondiscoveryprivilege_escalation

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
    defense_evasionprivilege_escalation
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\43fae6a60dffcc47045c6f132d41ec77db2134dc825c35d1bf3abeb7210226cd.exe
    "C:\Users\Admin\AppData\Local\Temp\43fae6a60dffcc47045c6f132d41ec77db2134dc825c35d1bf3abeb7210226cd.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4752
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\MiddleWareX.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4040
      • C:\Windows\SysWOW64\mshta.exe
        mshta vbscript:CreateObject("Shell.Application").ShellExecute("cmd.exe","/c C:\Users\Admin\AppData\Local\Temp\MIDDLE~1.BAT ::","","runas",1)(window.close)
        3⤵
        • Checks computer location settings
        • Access Token Manipulation: Create Process with Token
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3024
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\MIDDLE~1.BAT ::
          4⤵
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5080
          • C:\Windows\SysWOW64\regsvr32.exe
            regsvr32 /u /s C:\Windows\SysWOW64\MiddleWareX.ocx
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:1872
          • C:\Windows\SysWOW64\regsvr32.exe
            regsvr32 /s C:\Windows\SysWOW64\MiddleWareX.ocx
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            PID:3848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MiddleWareX.bat
    Filesize

    289B

    MD5

    2c4b4ba717acec4f8629f295b202f49c

    SHA1

    93837ef6098e8de8cc50c20d2a5dada3f7a48892

    SHA256

    8c1179c8249eb42966164221056570f651d1f24cea66122130cd933e43e24c7f

    SHA512

    184ab3940e7240e30872fd3223d51c11871bdd874b8d8d6062baff9907e95f29cae322f8113f046f7e1fad54d9fef9b692c8854df2536804e06723d02abbf99d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MiddleWareX.ocx
    Filesize

    2.1MB

    MD5

    dc4a6a41db0678422c5fbbb1068b1752

    SHA1

    a6b80709cc11ebee962873a777a6ca08b85608cd

    SHA256

    03965be1329c5f2e2983de87740c03d122df7088a31a50e3fbbbb970e29edd75

    SHA512

    d7ca0a267d385bb647042004af3c88b13154d3ac7f2d77a33ba9d434ed035e59cb32a57fea248587a8f69e5c254e042301cf9b46121615f57fe10032bba7a1b3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MiddleWareX_App.log
    Filesize

    331B

    MD5

    e97b1152cfd26992ba5d0682bc07e36e

    SHA1

    2e64f041553aa790ad5f176d4ffe6aa0952a6a51

    SHA256

    09328bd4ff7a8676702402b24f7abdf6249abe354f944d6a154ef4b9f8311ae2

    SHA512

    b27d96ccae1a67e72d9aa66870acd33b63a9b669bd3c44b52021c28e1c7d8fd334d05c888aaed2cd161795036c3d2ff0f2f0378dc656f0748c9351b63f4dfd25

    Download Submit