Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24/08/2024, 04:33
Static task
static1
Behavioral task
behavioral1
Sample
d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe
Resource
win10v2004-20240802-en
General
-
Target
d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe
-
Size
2.7MB
-
MD5
ac3ab242cda9abd60b9b5bce92c201c0
-
SHA1
ad05cec66b8471ba6fad3afb7a2dc16215000555
-
SHA256
d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41
-
SHA512
4965150d36702e824bf9e7ea6b350fcc2ddddc5bdeed05b2d617fc22df3d9b639c73fc648d490d35261e65285842f8ed9eff2d61b8b4be462f02bcfe7ba12113
-
SSDEEP
49152:9YyT+P66XbOP/ZzA2DItg1Hoaz6wecYfFkURwlhyAuLjf/IVgs5+xP:ZTE66yXZ02DwUHoazRofxIhELjf/IVgs
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe -
Executes dropped EXE 1 IoCs
pid Process 2760 Brigit Cho.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2800 2760 WerFault.exe 91 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Brigit Cho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3160 PING.EXE 4444 cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3160 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2284 d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe 2284 d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe 2760 Brigit Cho.exe 2760 Brigit Cho.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2284 d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe Token: SeIncBasePriorityPrivilege 2284 d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe Token: SeDebugPrivilege 2760 Brigit Cho.exe Token: SeIncBasePriorityPrivilege 2760 Brigit Cho.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2284 wrote to memory of 2760 2284 d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe 91 PID 2284 wrote to memory of 2760 2284 d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe 91 PID 2284 wrote to memory of 2760 2284 d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe 91 PID 2284 wrote to memory of 4444 2284 d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe 92 PID 2284 wrote to memory of 4444 2284 d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe 92 PID 2284 wrote to memory of 4444 2284 d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe 92 PID 4444 wrote to memory of 3160 4444 cmd.exe 94 PID 4444 wrote to memory of 3160 4444 cmd.exe 94 PID 4444 wrote to memory of 3160 4444 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe"C:\Users\Admin\AppData\Local\Temp\d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\Brigit Cho.exe"C:\Users\Admin\AppData\Local\Temp\Brigit Cho.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 15683⤵
- Program crash
PID:2800
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3160
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2760 -ip 27601⤵PID:744
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD586c9bf2d7575d19b48913603e8bb5dc1
SHA141bbdc31f69160727f177885757583de0e7f0317
SHA25657c44c674ec135d46ecd358a4d8bab8797056b14bc1a13bf91dc209da06e9e7e
SHA512ea0f5ae99f3894150d914c73c7f007c08978467993f2a2add17eb7dfe03a39b825e26db34e6d239ff2066511dbd9c6cd95d595544215323d15a6e8dd02f06d81
-
Filesize
2.7MB
MD5e49f48ad9f5c81e6b99827c9975f9715
SHA1e44c4ef33cc43df566c7c8711fa586153fd6bece
SHA2560c6e7b3b8583db3ce1a1a11bd9d35451ca7a943c71436275ad03ddf2689a4f5d
SHA512a0f944890c619a54ab10ff9fad2966587add119b1d41cdacde4fbbd394d5466a40613bf8c785adbfc1aa35cbb347a265ae994f4ea54573a29329ab53fa084de7