Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29/08/2024, 06:30
Static task
static1
Behavioral task
behavioral1
Sample
95ee71927bce9ff4ae2a236329b7aa20N.exe
Resource
win7-20240705-en
General
-
Target
95ee71927bce9ff4ae2a236329b7aa20N.exe
-
Size
6.5MB
-
MD5
95ee71927bce9ff4ae2a236329b7aa20
-
SHA1
1056f0228501dd256dd55ff60ec7d21be0020432
-
SHA256
ce8db332fe75b98361a0dc3b7b9bfc5456df31a291d61db244169ac55dfc4537
-
SHA512
b15c5a253d131ce391a6ca30842394ff032a57c51410f937a11225373c3f19a8555c36169bb121be4110e2d2bead53be6d41bdd004b80b4278341b6d558e03cd
-
SSDEEP
98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSH:i0LrA2kHKQHNk3og9unipQyOaOH
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation tewymo.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation 95ee71927bce9ff4ae2a236329b7aa20N.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation awkum.exe -
Executes dropped EXE 3 IoCs
pid Process 4492 awkum.exe 1104 tewymo.exe 1152 uzufn.exe -
resource yara_rule behavioral2/files/0x000800000002346c-66.dat upx behavioral2/memory/1152-72-0x0000000000400000-0x0000000000599000-memory.dmp upx behavioral2/memory/1152-77-0x0000000000400000-0x0000000000599000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language awkum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tewymo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uzufn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95ee71927bce9ff4ae2a236329b7aa20N.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2552 95ee71927bce9ff4ae2a236329b7aa20N.exe 2552 95ee71927bce9ff4ae2a236329b7aa20N.exe 4492 awkum.exe 4492 awkum.exe 1104 tewymo.exe 1104 tewymo.exe 1152 uzufn.exe 1152 uzufn.exe 1152 uzufn.exe 1152 uzufn.exe 1152 uzufn.exe 1152 uzufn.exe 1152 uzufn.exe 1152 uzufn.exe 1152 uzufn.exe 1152 uzufn.exe 1152 uzufn.exe 1152 uzufn.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2552 wrote to memory of 4492 2552 95ee71927bce9ff4ae2a236329b7aa20N.exe 87 PID 2552 wrote to memory of 4492 2552 95ee71927bce9ff4ae2a236329b7aa20N.exe 87 PID 2552 wrote to memory of 4492 2552 95ee71927bce9ff4ae2a236329b7aa20N.exe 87 PID 2552 wrote to memory of 2948 2552 95ee71927bce9ff4ae2a236329b7aa20N.exe 88 PID 2552 wrote to memory of 2948 2552 95ee71927bce9ff4ae2a236329b7aa20N.exe 88 PID 2552 wrote to memory of 2948 2552 95ee71927bce9ff4ae2a236329b7aa20N.exe 88 PID 4492 wrote to memory of 1104 4492 awkum.exe 90 PID 4492 wrote to memory of 1104 4492 awkum.exe 90 PID 4492 wrote to memory of 1104 4492 awkum.exe 90 PID 1104 wrote to memory of 1152 1104 tewymo.exe 102 PID 1104 wrote to memory of 1152 1104 tewymo.exe 102 PID 1104 wrote to memory of 1152 1104 tewymo.exe 102 PID 1104 wrote to memory of 4068 1104 tewymo.exe 103 PID 1104 wrote to memory of 4068 1104 tewymo.exe 103 PID 1104 wrote to memory of 4068 1104 tewymo.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\95ee71927bce9ff4ae2a236329b7aa20N.exe"C:\Users\Admin\AppData\Local\Temp\95ee71927bce9ff4ae2a236329b7aa20N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Users\Admin\AppData\Local\Temp\awkum.exe"C:\Users\Admin\AppData\Local\Temp\awkum.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Users\Admin\AppData\Local\Temp\tewymo.exe"C:\Users\Admin\AppData\Local\Temp\tewymo.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Users\Admin\AppData\Local\Temp\uzufn.exe"C:\Users\Admin\AppData\Local\Temp\uzufn.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1152
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:4068
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:2948
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224B
MD52cd345598aa15cbc010e6d60eba1f04b
SHA10b0ae13c78ce0b7ddb8cbdd0b0f353648de598a8
SHA2566990347d7d663caa0ac49b54254e728a96eec0a0c622b7d3375d72b75de60d6f
SHA5126f4f97acac1063f8a3e3841c7cc592f270653a941ffc0b8ffa79d97a6335ad532be6f3d54cacc2a2938bebb6d9e780267714846e7f9fc0b2f4b576f93b019795
-
Filesize
278B
MD5a03a685eb198f629caf9300ec1eb2b31
SHA18dc3cd02a0cef1a2d1182b142fb1dc8f56f146d7
SHA256fb6ce3d0667c8fb9c07a3f43b0d088d8e5209bddb685da2c5646bf57b8cf090f
SHA512dbd434caf2cbbff4db888e742413f36e6e8d08ee9717efe04e681ee0b64a3e9b6f466a5dd48af167fe80bc224f31337177257cee23d7981b80f85bc6e524dfb4
-
Filesize
6.5MB
MD5c299a2ac4f450371cab0b21534d390e6
SHA1a81dd0ba7c60b01bc019c8378ce6cb6b7f92e054
SHA256c3008311354b4d910c793ba6f7870ea352cfee3e436e2ca5877cfe7398c253d7
SHA51253e43bc7f6e53f2aeed89750acaad41ec3f3683b6278751e7f144ff7e4cfee0156e7518d7b515396b3b73e7d9a6fcb8fb5f058f381e355cbd62444663ef43796
-
Filesize
104B
MD5dbef593bccc2049f860f718cd6fec321
SHA1e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA25630f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA5123e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a
-
Filesize
512B
MD5ef52af394a7d8bc85614d05bcab7b4cc
SHA16642fc8ac5317ab966bd551b4e70a8410b84da51
SHA256a6ac5ce226354deb998f4d7e0b60d23c01850bd7b73d138ae435a30548866672
SHA5123cc65ddfca3dec32cef60f2bd378627191f210d36ef032c79918b81c7c0474861c0d2efecaf86aec4dbcdaf69cf6585dac6e4d1c8c6afaad09e569c524b5d646
-
Filesize
459KB
MD57c299e2b564ef83d160e912e4de81dc2
SHA19f72c8120e07c98dca2c8585e00e10147ca0ae55
SHA256291a53c34f16ccf408706efbaf80394994344e1b8486698723818be8778fff53
SHA5125e8e09ab64a648989146ac04e7d4ae49d9509d0bb84dc0c5b7e3d3a370f07f5efbf0df9c707798ee05b83b31c9991627fb863935374374f5c006cf5e3f868ac1