Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22/08/2024, 16:35
Static task
static1
Behavioral task
behavioral1
Sample
ming-dan-pdf.exe
Resource
win7-20240704-en
General
-
Target
ming-dan-pdf.exe
-
Size
22.6MB
-
MD5
d48ab037ac67690dfec97eb0cee58cef
-
SHA1
ee2cac4a3ed743469f344657a2ce03263278e843
-
SHA256
f86bb58f1fe31ba13544d0919beab5e3029e8044df85c72c37cbe2fbede5bf2b
-
SHA512
1b53563081a14587cd28e184a5fd02730e78757e605176b5581154a514cda3644e48ecc931a3c2a93ebee68340d845167120fe75254aeb4d91fde5590973647a
-
SSDEEP
196608:5c1aN0ECig1IFnEplmOXKh8mY8J4V+mPKSJAMr3jv4xHlZoA/iMYvWB:0OhCcFkjXLWiV+mSSCMToHluZW
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0007000000023450-14.dat acprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation ming-dan-pdf.exe -
Deletes itself 1 IoCs
pid Process 1864 t0mcat.exe -
Executes dropped EXE 1 IoCs
pid Process 1864 t0mcat.exe -
Loads dropped DLL 2 IoCs
pid Process 1864 t0mcat.exe 1864 t0mcat.exe -
resource yara_rule behavioral2/files/0x0007000000023450-14.dat upx behavioral2/memory/1864-18-0x0000000010000000-0x0000000010014000-memory.dmp upx behavioral2/memory/1864-34-0x0000000002C70000-0x0000000002C88000-memory.dmp upx behavioral2/memory/1864-46-0x0000000010000000-0x0000000010014000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ming-dan-pdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language t0mcat.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 2404 ming-dan-pdf.exe 2404 ming-dan-pdf.exe 2404 ming-dan-pdf.exe 2404 ming-dan-pdf.exe 2404 ming-dan-pdf.exe 2404 ming-dan-pdf.exe 2404 ming-dan-pdf.exe 2404 ming-dan-pdf.exe 2404 ming-dan-pdf.exe 2404 ming-dan-pdf.exe 2404 ming-dan-pdf.exe 2404 ming-dan-pdf.exe 1864 t0mcat.exe 1864 t0mcat.exe 1864 t0mcat.exe 1864 t0mcat.exe 1864 t0mcat.exe 1864 t0mcat.exe 1864 t0mcat.exe 1864 t0mcat.exe 1864 t0mcat.exe 1864 t0mcat.exe 1864 t0mcat.exe 1864 t0mcat.exe 1864 t0mcat.exe 1864 t0mcat.exe 1864 t0mcat.exe 1864 t0mcat.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 1864 t0mcat.exe Token: SeLockMemoryPrivilege 1864 t0mcat.exe Token: SeCreateGlobalPrivilege 1864 t0mcat.exe Token: SeBackupPrivilege 1864 t0mcat.exe Token: SeRestorePrivilege 1864 t0mcat.exe Token: SeShutdownPrivilege 1864 t0mcat.exe Token: SeCreateTokenPrivilege 1864 t0mcat.exe Token: SeTakeOwnershipPrivilege 1864 t0mcat.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2404 ming-dan-pdf.exe 2404 ming-dan-pdf.exe 1864 t0mcat.exe 1864 t0mcat.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2404 wrote to memory of 1864 2404 ming-dan-pdf.exe 87 PID 2404 wrote to memory of 1864 2404 ming-dan-pdf.exe 87 PID 2404 wrote to memory of 1864 2404 ming-dan-pdf.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\ming-dan-pdf.exe"C:\Users\Admin\AppData\Local\Temp\ming-dan-pdf.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Users\Admin\Documents\t0mcat.exe"C:\Users\Admin\Documents\t0mcat.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1864
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
82KB
MD54abe0fa567bc7414f0232bcc1370a36d
SHA15023cb8446abb125796fa74493e45d72428537b7
SHA25615e4c9a052f696da40749b17912f4c63647919815949e9227c51325c7017d823
SHA512dd29a6db81fe7d085028b3987645fc42e466baa3388f4b798efddf760a471b592c71857c0526ac3194bd5e1390e954c2230237d93027ab76acc676d7b792fff4
-
Filesize
27KB
MD5849e9f3e59daf750db838e885d58c6fa
SHA1733cb105153e4b83160a52bfa2ddd95d750fb806
SHA256f94949a6c121a525f661dd8abd917eb37a5cf582c89e3a258170a15d30cc0cc2
SHA5123feff6db5fc5ae371a4ec60ce13a383668a5accac537a0ae56b9b5b7318a2d5bdb4b79286a519cad3610cb6d1f335a11c09a4d3165c147a00d5a7880ea23e173
-
Filesize
118B
MD5bcf8561732b58b58c7bd2f96d9b5e1a7
SHA14b39115407716c50bca553c8e5855e4d7508f897
SHA256cd49c42e787c4dafc2ae0d648e40205ccbbd406da6ed4c9fd41ea67a4ba35663
SHA512b4588b9f5ed04ae78b8cd0646f069db3a5f0c0a653c7d84e701ad5215ed93876171ca81dbb6284bd1b43bb4ef927e200b32d3273be64504e9dc3e385c778462b
-
Filesize
2.0MB
MD5887dbb770f9a3cd5376aa211a30789e4
SHA1f148997262530c6c85467a30f76ddc90a6ca4c9e
SHA25640f5a4d30fa4ee0738e74de5e93980815d5eceb2a3fea3a836e3df8785606465
SHA512b8975608f312ee5983f5ef209ef08829618b86e952d3a2beaad405c9117762881493743c851cea63531292416b550aaa383b9b22bb4052f81bd68641e3a2ff00