Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    143s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/08/2024, 20:27

General

  • Target

    setup.exe

  • Size

    1.4MB

  • MD5

    706c6bfc8bfc84cff339ad4f1383b5f6

  • SHA1

    2bee5db2fc7f4c0cb9657b3c56381edf55f20b9e

  • SHA256

    a24bca9187ab78b0e924a7c34e897fbe6410dac464ad5df0f9652339e99328be

  • SHA512

    40fde805e9c2f8b4803924cdedf87bbb3deb80143110ca1cbad98648ea511d4e99ac82444ae13a275fe8c36bbfdaef81b2a5e9f55fddb5cecbd66dcfce6a8b90

  • SSDEEP

    24576:mbn04bdgOwOvZc+y8UZ3BQ9KtFkva8DgY4bQzy5kafTQUIz:m5ggc+GZ0KsTkxbEy2wTgz

Score
10/10

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 6 IoCs
  • Executes dropped EXE 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5044
    • C:\Users\Admin\AppData\Local\Temp\a595fb03-7462-4173-bb34-4f6da4b34b5b\setup.exe
      C:\Users\Admin\AppData\Local\Temp\a595fb03-7462-4173-bb34-4f6da4b34b5b\setup.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:724
      • C:\Users\Admin\AppData\Local\Temp\is-BGOO0.tmp\is-CVFOL.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-BGOO0.tmp\is-CVFOL.tmp" /SL4 $B0270 C:\Users\Admin\AppData\Local\Temp\a595fb03-7462-4173-bb34-4f6da4b34b5b\setup.exe 812133 50688
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3336
    • C:\Users\Admin\AppData\Local\Temp\a595fb03-7462-4173-bb34-4f6da4b34b5b\dudu.exe
      C:\Users\Admin\AppData\Local\Temp\a595fb03-7462-4173-bb34-4f6da4b34b5b\dudu.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Users\Admin\AppData\Local\Temp\remotesetup.exe
        C:\Users\Admin\AppData\Local\Temp\remotesetup.exe
        3⤵
        • Modifies firewall policy service
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:4016

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\a595fb03-7462-4173-bb34-4f6da4b34b5b\dudu.exe

    Filesize

    220KB

    MD5

    0b2a860a558ca00e1b4f389b6d8be1e6

    SHA1

    5e5a12756446751482d3db2798bd954f2f49ee68

    SHA256

    81db7a9742cb8fb50f7a97a952388cb3f4a1a9d150bc84705f8c2abf2c71dafe

    SHA512

    2210d69d467358c3174bf0685bd6dc1236d56aa9a19246c58931ebf87fe955fb4ed5e9acbb328b1775930e20fa275781c0eb48dd6d943de46ff20dc8fe511147

  • C:\Users\Admin\AppData\Local\Temp\a595fb03-7462-4173-bb34-4f6da4b34b5b\setup.exe

    Filesize

    1.0MB

    MD5

    7b67ad5920fbb521a3931e181b6f09c1

    SHA1

    be2ef6336fffab984588ba5e7c857394445972c2

    SHA256

    a53abdc7b7c7e3200ad96481d6230edc2ef5c37b4c0ae51bdd663a13f5e0f771

    SHA512

    f94fa8e3212ec9a5861772287e17fb76d1030c0127a5de46f0dcfcde1e2457555bb997288305b482dad0d1bdfe63c4312985666fff1540b2fa04291f11b521c3

  • C:\Users\Admin\AppData\Local\Temp\is-BGOO0.tmp\is-CVFOL.tmp

    Filesize

    572KB

    MD5

    f1f53da4210741290d2a97962ddabd75

    SHA1

    77e4197542f8af41415aa6366e3d9690bb5e42fd

    SHA256

    4ddec18e9d8574c76a7e18ca0c9d9b37ff3a13a6f3f3bc50c35508d0c4c83e68

    SHA512

    688db1c87d7b9e83c718d9eebfa78a87a558a02213a9ad6f1e4772ce2532efca2efb7436af0340881f16cad7c80ebd99017eea89322406968db402e95c3169ef

  • C:\Users\Admin\AppData\Local\Temp\remotesetup.exe

    Filesize

    200KB

    MD5

    431f73f47db54f39affaf01d059ddc19

    SHA1

    494a98579d991201f79bc62138f3614eba7a6bf4

    SHA256

    432ce523edf6eac5d01b085ebb8ccda80c16e72618ed4ef75312884b171fe281

    SHA512

    94d5f6d28dbb9934013b2908e95a69374fcb93384c8333807a7bcf437b6e3638bf1aad92e894fbb282c28eebdcbda770752f2e43d9c6c7ac9e892c647ccab79b

  • memory/724-12-0x0000000000401000-0x000000000040A000-memory.dmp

    Filesize

    36KB

  • memory/724-7-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

  • memory/724-24-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

  • memory/3336-21-0x0000000000400000-0x000000000049D000-memory.dmp

    Filesize

    628KB

  • memory/3336-25-0x0000000000400000-0x000000000049D000-memory.dmp

    Filesize

    628KB