Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
103s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22/08/2024, 16:24
Static task
static1
Behavioral task
behavioral1
Sample
dc8c3a3c9dfa7e4144e6ba88c42a6c30N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
dc8c3a3c9dfa7e4144e6ba88c42a6c30N.exe
Resource
win10v2004-20240802-en
General
-
Target
dc8c3a3c9dfa7e4144e6ba88c42a6c30N.exe
-
Size
36KB
-
MD5
dc8c3a3c9dfa7e4144e6ba88c42a6c30
-
SHA1
8e90cd92aa6073726e72d15e53efc6b677fb4470
-
SHA256
c8c906a1b261efbca2f192c7dcdcbe73d17b5cfc5c5205713243176b05b1f3cf
-
SHA512
eb2d33b410db3a44152001509a1dc9fe589bedec0aad7791dd39ba0b0d74b8a54e03f2d3450610d2fefc00c5764cf7d2610f75b792a49941b28c0498843a50bb
-
SSDEEP
384:KrxUgySC4zdy4OyzLeReRcnnX7pi608SO2/yO5YsTg8ULbkVq+kwu2uPs5VlHxkz:ek6zdTiLLpTSOYyYY47UhtPsDxxyqg
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinHttp = "C:\\Users\\Admin\\AppData\\Local\\WinHttp.exe" regedit.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dc8c3a3c9dfa7e4144e6ba88c42a6c30N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe -
Runs .reg file with regedit 1 IoCs
pid Process 4868 regedit.exe -
Suspicious behavior: RenamesItself 2 IoCs
pid Process 912 dc8c3a3c9dfa7e4144e6ba88c42a6c30N.exe 912 dc8c3a3c9dfa7e4144e6ba88c42a6c30N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 912 wrote to memory of 4868 912 dc8c3a3c9dfa7e4144e6ba88c42a6c30N.exe 84 PID 912 wrote to memory of 4868 912 dc8c3a3c9dfa7e4144e6ba88c42a6c30N.exe 84 PID 912 wrote to memory of 4868 912 dc8c3a3c9dfa7e4144e6ba88c42a6c30N.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc8c3a3c9dfa7e4144e6ba88c42a6c30N.exe"C:\Users\Admin\AppData\Local\Temp\dc8c3a3c9dfa7e4144e6ba88c42a6c30N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\regedit.exeregedit.exe /s C:\Users\Admin\AppData\Local\Temp\~dfds3.reg2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:4868
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
166B
MD5f44153ef26be29552cf320325ad8b72e
SHA174ac72ba2ff0f871e59b11c95ad707372662370c
SHA256767009fb8726500a4bc54b2ee744cc3ada64fdf16a44e22ff9dfe7652e2a439f
SHA5121d42a4dba1d8d0df9f8fedfba384ffdbcff3103c8ba360f255b5d7e8a46128f40521e4d16cf6de04365b3b6ffad8bc681cf7042d92867ab3d912601a3d5e6e65
-
Filesize
36KB
MD5fddbded159dd7d27b662f9ff4041b82c
SHA160f71cf1711d94441fda7154ccd65340ef1a2749
SHA256d8ad33e0a8a3cb9bef3290b4dd2d644b4384ae3de68a3dfd79c90cab2ae808af
SHA5122bae9c65415333c6635249f8d4b063322f9f76c0f888574caff67ff5193324e407c9695f9cc55b47f90d0ee71684f1289f180d98257ae654a2bcf7d76efc85f1