Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/08/2024, 20:27
Static task
static1
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-20240704-en
General
-
Target
setup.exe
-
Size
1.4MB
-
MD5
706c6bfc8bfc84cff339ad4f1383b5f6
-
SHA1
2bee5db2fc7f4c0cb9657b3c56381edf55f20b9e
-
SHA256
a24bca9187ab78b0e924a7c34e897fbe6410dac464ad5df0f9652339e99328be
-
SHA512
40fde805e9c2f8b4803924cdedf87bbb3deb80143110ca1cbad98648ea511d4e99ac82444ae13a275fe8c36bbfdaef81b2a5e9f55fddb5cecbd66dcfce6a8b90
-
SSDEEP
24576:mbn04bdgOwOvZc+y8UZ3BQ9KtFkva8DgY4bQzy5kafTQUIz:m5ggc+GZ0KsTkxbEy2wTgz
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\remotesetup.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\remotesetup.exe:*:Enabled:DuDuAcc" remotesetup.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplica remotesetup.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List remotesetup.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile remotesetup.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications remotesetup.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\ remotesetup.exe -
Executes dropped EXE 4 IoCs
pid Process 724 setup.exe 2616 dudu.exe 4016 remotesetup.exe 3336 is-CVFOL.tmp -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\DDD_Install_Program.job remotesetup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dudu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language is-CVFOL.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remotesetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 5044 wrote to memory of 724 5044 setup.exe 88 PID 5044 wrote to memory of 724 5044 setup.exe 88 PID 5044 wrote to memory of 724 5044 setup.exe 88 PID 5044 wrote to memory of 2616 5044 setup.exe 89 PID 5044 wrote to memory of 2616 5044 setup.exe 89 PID 5044 wrote to memory of 2616 5044 setup.exe 89 PID 2616 wrote to memory of 4016 2616 dudu.exe 90 PID 2616 wrote to memory of 4016 2616 dudu.exe 90 PID 2616 wrote to memory of 4016 2616 dudu.exe 90 PID 724 wrote to memory of 3336 724 setup.exe 91 PID 724 wrote to memory of 3336 724 setup.exe 91 PID 724 wrote to memory of 3336 724 setup.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Users\Admin\AppData\Local\Temp\a595fb03-7462-4173-bb34-4f6da4b34b5b\setup.exeC:\Users\Admin\AppData\Local\Temp\a595fb03-7462-4173-bb34-4f6da4b34b5b\setup.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Users\Admin\AppData\Local\Temp\is-BGOO0.tmp\is-CVFOL.tmp"C:\Users\Admin\AppData\Local\Temp\is-BGOO0.tmp\is-CVFOL.tmp" /SL4 $B0270 C:\Users\Admin\AppData\Local\Temp\a595fb03-7462-4173-bb34-4f6da4b34b5b\setup.exe 812133 506883⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3336
-
-
-
C:\Users\Admin\AppData\Local\Temp\a595fb03-7462-4173-bb34-4f6da4b34b5b\dudu.exeC:\Users\Admin\AppData\Local\Temp\a595fb03-7462-4173-bb34-4f6da4b34b5b\dudu.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\remotesetup.exeC:\Users\Admin\AppData\Local\Temp\remotesetup.exe3⤵
- Modifies firewall policy service
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4016
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
220KB
MD50b2a860a558ca00e1b4f389b6d8be1e6
SHA15e5a12756446751482d3db2798bd954f2f49ee68
SHA25681db7a9742cb8fb50f7a97a952388cb3f4a1a9d150bc84705f8c2abf2c71dafe
SHA5122210d69d467358c3174bf0685bd6dc1236d56aa9a19246c58931ebf87fe955fb4ed5e9acbb328b1775930e20fa275781c0eb48dd6d943de46ff20dc8fe511147
-
Filesize
1.0MB
MD57b67ad5920fbb521a3931e181b6f09c1
SHA1be2ef6336fffab984588ba5e7c857394445972c2
SHA256a53abdc7b7c7e3200ad96481d6230edc2ef5c37b4c0ae51bdd663a13f5e0f771
SHA512f94fa8e3212ec9a5861772287e17fb76d1030c0127a5de46f0dcfcde1e2457555bb997288305b482dad0d1bdfe63c4312985666fff1540b2fa04291f11b521c3
-
Filesize
572KB
MD5f1f53da4210741290d2a97962ddabd75
SHA177e4197542f8af41415aa6366e3d9690bb5e42fd
SHA2564ddec18e9d8574c76a7e18ca0c9d9b37ff3a13a6f3f3bc50c35508d0c4c83e68
SHA512688db1c87d7b9e83c718d9eebfa78a87a558a02213a9ad6f1e4772ce2532efca2efb7436af0340881f16cad7c80ebd99017eea89322406968db402e95c3169ef
-
Filesize
200KB
MD5431f73f47db54f39affaf01d059ddc19
SHA1494a98579d991201f79bc62138f3614eba7a6bf4
SHA256432ce523edf6eac5d01b085ebb8ccda80c16e72618ed4ef75312884b171fe281
SHA51294d5f6d28dbb9934013b2908e95a69374fcb93384c8333807a7bcf437b6e3638bf1aad92e894fbb282c28eebdcbda770752f2e43d9c6c7ac9e892c647ccab79b