Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    134s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/08/2024, 04:33

General

  • Target

    d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe

  • Size

    2.7MB

  • MD5

    ac3ab242cda9abd60b9b5bce92c201c0

  • SHA1

    ad05cec66b8471ba6fad3afb7a2dc16215000555

  • SHA256

    d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41

  • SHA512

    4965150d36702e824bf9e7ea6b350fcc2ddddc5bdeed05b2d617fc22df3d9b639c73fc648d490d35261e65285842f8ed9eff2d61b8b4be462f02bcfe7ba12113

  • SSDEEP

    49152:9YyT+P66XbOP/ZzA2DItg1Hoaz6wecYfFkURwlhyAuLjf/IVgs5+xP:ZTE66yXZ02DwUHoazRofxIhELjf/IVgs

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe
    "C:\Users\Admin\AppData\Local\Temp\d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2284
    • C:\Users\Admin\AppData\Local\Temp\Brigit Cho.exe
      "C:\Users\Admin\AppData\Local\Temp\Brigit Cho.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2760
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 1568
        3⤵
        • Program crash
        PID:2800
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\d54087e71e4b908afb958974c559eef576533224b9c83c74fd01fd61289c2a41.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:4444
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 3000
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3160
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2760 -ip 2760
    1⤵
      PID:744

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Brigit Cho.exe

      Filesize

      2.7MB

      MD5

      86c9bf2d7575d19b48913603e8bb5dc1

      SHA1

      41bbdc31f69160727f177885757583de0e7f0317

      SHA256

      57c44c674ec135d46ecd358a4d8bab8797056b14bc1a13bf91dc209da06e9e7e

      SHA512

      ea0f5ae99f3894150d914c73c7f007c08978467993f2a2add17eb7dfe03a39b825e26db34e6d239ff2066511dbd9c6cd95d595544215323d15a6e8dd02f06d81

    • C:\Users\Admin\AppData\Local\Temp\Brigit Cho.exe

      Filesize

      2.7MB

      MD5

      e49f48ad9f5c81e6b99827c9975f9715

      SHA1

      e44c4ef33cc43df566c7c8711fa586153fd6bece

      SHA256

      0c6e7b3b8583db3ce1a1a11bd9d35451ca7a943c71436275ad03ddf2689a4f5d

      SHA512

      a0f944890c619a54ab10ff9fad2966587add119b1d41cdacde4fbbd394d5466a40613bf8c785adbfc1aa35cbb347a265ae994f4ea54573a29329ab53fa084de7

    • memory/2284-8-0x000000000E310000-0x000000000E376000-memory.dmp

      Filesize

      408KB

    • memory/2284-9-0x0000000074E70000-0x0000000075620000-memory.dmp

      Filesize

      7.7MB

    • memory/2284-4-0x000000000B3D0000-0x000000000B974000-memory.dmp

      Filesize

      5.6MB

    • memory/2284-5-0x000000000AEC0000-0x000000000AF52000-memory.dmp

      Filesize

      584KB

    • memory/2284-6-0x000000000B360000-0x000000000B36A000-memory.dmp

      Filesize

      40KB

    • memory/2284-7-0x0000000074E70000-0x0000000075620000-memory.dmp

      Filesize

      7.7MB

    • memory/2284-0-0x0000000074E7E000-0x0000000074E7F000-memory.dmp

      Filesize

      4KB

    • memory/2284-3-0x0000000074E70000-0x0000000075620000-memory.dmp

      Filesize

      7.7MB

    • memory/2284-2-0x0000000007C00000-0x0000000007E24000-memory.dmp

      Filesize

      2.1MB

    • memory/2284-1-0x00000000002C0000-0x0000000000582000-memory.dmp

      Filesize

      2.8MB

    • memory/2284-37-0x0000000074E70000-0x0000000075620000-memory.dmp

      Filesize

      7.7MB

    • memory/2760-38-0x0000000074E70000-0x0000000075620000-memory.dmp

      Filesize

      7.7MB

    • memory/2760-39-0x0000000000900000-0x0000000000BC2000-memory.dmp

      Filesize

      2.8MB

    • memory/2760-40-0x0000000074E70000-0x0000000075620000-memory.dmp

      Filesize

      7.7MB

    • memory/2760-41-0x0000000074E70000-0x0000000075620000-memory.dmp

      Filesize

      7.7MB