Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
100s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22/08/2024, 02:04
Static task
static1
Behavioral task
behavioral1
Sample
71de7e22166b54d7dc8774403a7fad80N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
71de7e22166b54d7dc8774403a7fad80N.exe
Resource
win10v2004-20240802-en
General
-
Target
71de7e22166b54d7dc8774403a7fad80N.exe
-
Size
1.2MB
-
MD5
71de7e22166b54d7dc8774403a7fad80
-
SHA1
b647b246910f56a7d67255ede444bdaca7ee332c
-
SHA256
7e30f74679f5013327e5edbad28f3997333a48a3ad6883b5f794d856c4e06823
-
SHA512
924ace796480f540367e6a675575454f3c4ccb5690517f02e4c3284c3df7e84863313767664b999e27444a17233177f4569811ebead6e8b931e196d3d10ea851
-
SSDEEP
24576:TaxaktqcjdqoZRXzszhYia1GLZmN1DUZmSordfq6Ph2kkkkK4kXkkkkkkkkA:Taxakt9q6Xzsfa1CZmXYZmSadfqX
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 5004 B4F8.tmp -
Executes dropped EXE 1 IoCs
pid Process 5004 B4F8.tmp -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 71de7e22166b54d7dc8774403a7fad80N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B4F8.tmp -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3248 wrote to memory of 5004 3248 71de7e22166b54d7dc8774403a7fad80N.exe 84 PID 3248 wrote to memory of 5004 3248 71de7e22166b54d7dc8774403a7fad80N.exe 84 PID 3248 wrote to memory of 5004 3248 71de7e22166b54d7dc8774403a7fad80N.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\71de7e22166b54d7dc8774403a7fad80N.exe"C:\Users\Admin\AppData\Local\Temp\71de7e22166b54d7dc8774403a7fad80N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Users\Admin\AppData\Local\Temp\B4F8.tmp"C:\Users\Admin\AppData\Local\Temp\B4F8.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5004
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD50351cadf26778f6b8966fc9543094859
SHA1ed31908f7d98807227607dcfa31196b957dc2e76
SHA256200ee627690133e787a761dc1f1c3c6fc4230b8d02cf3c7ae5a9bef97be9f859
SHA5128f81c45647402c0a0fd9b6faaae4f5f821291633651a973147718d27a2f80973628bcbcdd85d5bb1ae21d8d2294822979b29aa386d5fdc400c188abeabb9b35d