Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/08/2024, 06:37
Static task
static1
Behavioral task
behavioral1
Sample
2d6f723b9839621479baf29358634f10N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2d6f723b9839621479baf29358634f10N.exe
Resource
win10v2004-20240802-en
General
-
Target
2d6f723b9839621479baf29358634f10N.exe
-
Size
515KB
-
MD5
2d6f723b9839621479baf29358634f10
-
SHA1
387a9f2845133a53a40a9db143b7332e80df8ae1
-
SHA256
122647b0e0d506d90083df1b85b045bcdfe2865b7ed56f5841bf3923cb053686
-
SHA512
adec58c00b406f00308a35cfa1b9046073c443e5b27e4eea0bab108c4f7f7e303c47d446dbd51e89deac807b95f48038c5f24b1c313fb47c08bc7fc3f408fe2c
-
SSDEEP
12288:/n8yN0Mr8ZmkVyy2Vypm3MsS50ugfWaJexX6:vPuZmkVyy2uY7S5hV6
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation 2d6f723b9839621479baf29358634f10N.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation Isass.exe -
Executes dropped EXE 3 IoCs
pid Process 1960 Isass.exe 4676 Isass.exe 4836 2d6f723b9839621479baf29358634f10N.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" 2d6f723b9839621479baf29358634f10N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" 2d6f723b9839621479baf29358634f10N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2d6f723b9839621479baf29358634f10N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Isass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Isass.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2732 2d6f723b9839621479baf29358634f10N.exe 2732 2d6f723b9839621479baf29358634f10N.exe 1960 Isass.exe 1960 Isass.exe 4676 Isass.exe 4676 Isass.exe 4676 Isass.exe 4676 Isass.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2732 wrote to memory of 1960 2732 2d6f723b9839621479baf29358634f10N.exe 83 PID 2732 wrote to memory of 1960 2732 2d6f723b9839621479baf29358634f10N.exe 83 PID 2732 wrote to memory of 1960 2732 2d6f723b9839621479baf29358634f10N.exe 83 PID 2732 wrote to memory of 4676 2732 2d6f723b9839621479baf29358634f10N.exe 84 PID 2732 wrote to memory of 4676 2732 2d6f723b9839621479baf29358634f10N.exe 84 PID 2732 wrote to memory of 4676 2732 2d6f723b9839621479baf29358634f10N.exe 84 PID 4676 wrote to memory of 4836 4676 Isass.exe 86 PID 4676 wrote to memory of 4836 4676 Isass.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d6f723b9839621479baf29358634f10N.exe"C:\Users\Admin\AppData\Local\Temp\2d6f723b9839621479baf29358634f10N.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1960
-
-
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\2d6f723b9839621479baf29358634f10N.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Users\Admin\AppData\Local\Temp\2d6f723b9839621479baf29358634f10N.exe"C:\Users\Admin\AppData\Local\Temp\2d6f723b9839621479baf29358634f10N.exe"3⤵
- Executes dropped EXE
PID:4836
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
719KB
MD5c4bc3cc03445c896065a59bc76202e6e
SHA1ef043cc077689558f88086cb411063f15dd2afa0
SHA256c49b84414c4ec54f0f318e7bd65781ad517282a427e67ff0610fe873698d1b2a
SHA51286352b4a8b8761be76f95441060d3b1d865ec3ab7b7cd975c493db0285e0db2ec5c45f5314773c5f24e399a5666d3110f341a21e4039afa964c88cbca7e4d922
-
Filesize
250KB
MD59386c7ffb682c69eadb492071138f495
SHA1cd4cda7c97645a9ce694f9543b989e5fb898bbe7
SHA256a4c297fc0b96651ebb71b15398025f80d1f6f592330792ba3eb01d9cd56f9f99
SHA5129b7c2ee269d6f6f33f8656d9e3958036b441246304dce499e9ada4c7dc844a8d4b42deafc5e1d25dc50d069393f0ce9cdc5765a7ca7b3393511d1defba4f7d21
-
Filesize
256KB
MD538f759cb1674a19b1118366d4a018d9c
SHA1c6583d6f2d8724a1bf6f28608451bfa870dec96a
SHA2560b2f27ac9d4776132ead07bee0ca8d8894602a56bfaa8e6ecc5c2a158d3d65f9
SHA512f2d3d2689236094d7efca17c520347cd453b70715102b34366d2a221ba114a7ede1c1bd142c0e32cd07d282f6254d689a05f05384db93cee9664bf8298fae4ac