Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

1d5a70e1e6...ed.exe

windows7-x64

7

1d5a70e1e6...ed.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/09/2024, 14:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1d5a70e1e61c880a33f5277c019d28f1a91534894f6c60d59069f500ea3276ed.exe

  • Size

    14KB

  • MD5

    b88828bb90c23342fca74b2e0f7a8491

  • SHA1

    12dee435022fa6e516eeb5281e47cd362844dbe9

  • SHA256

    1d5a70e1e61c880a33f5277c019d28f1a91534894f6c60d59069f500ea3276ed

  • SHA512

    16a39b324fc33a0b62603be60470bf75c9cb7fbde4ecd4ba2e717069a7f91423367c7370a6485828f0b1fdd1f52b2b8015a01de9a65e0810dbcf3274730eb1b7

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYJBX:hDXWipuE+K3/SSHgxmbX

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d5a70e1e61c880a33f5277c019d28f1a91534894f6c60d59069f500ea3276ed.exe
    "C:\Users\Admin\AppData\Local\Temp\1d5a70e1e61c880a33f5277c019d28f1a91534894f6c60d59069f500ea3276ed.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Users\Admin\AppData\Local\Temp\DEMB42D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMB42D.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:364
      • C:\Users\Admin\AppData\Local\Temp\DEMB07.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMB07.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3232
        • C:\Users\Admin\AppData\Local\Temp\DEM6155.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM6155.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1312
          • C:\Users\Admin\AppData\Local\Temp\DEMB6D8.exe
            "C:\Users\Admin\AppData\Local\Temp\DEMB6D8.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3888
            • C:\Users\Admin\AppData\Local\Temp\DEMCD7.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMCD7.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:972
              • C:\Users\Admin\AppData\Local\Temp\DEM6325.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM6325.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:1504

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM6155.exe
    Filesize

    14KB

    MD5

    2d1dba6f147bbc04148e75507a97e9e3

    SHA1

    760741c99419ba1c579e122020722e4283837dd9

    SHA256

    481f4234b49b79c40f2c8bae111c6457468fca7824ff704f3dda1d626c0ab175

    SHA512

    0a4df8f82627dbd8dcc439178cb199f2fd7f65a651228af950eb15dd87069d6aac91606957c13a72649c1623245a67ed45e707cafc44bcea9ba52aeff307fb5e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM6325.exe
    Filesize

    15KB

    MD5

    8cc0ec61bc708201bd08f7170a83d91b

    SHA1

    980ee9b3b3287bdd23a7c16990d5677dbdaeb75e

    SHA256

    5e623e124d8b32e86a68b65c042aafe4582e76574eebb035ce3c5683e57bfa76

    SHA512

    cd8160729f75bcbb4d91414f82f9de37d17d289c9560d5072ec2751b38f371cc5865da083ec34131633f00e1a2d878a5965d8c2bd36e6598b529e093302d5369

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMB07.exe
    Filesize

    14KB

    MD5

    418c96ab97905c33b9911b20b2a13499

    SHA1

    bcba7fdee19f511057f5c560f3533af2cc67b65c

    SHA256

    ebab36315e1582afc596ab05b1bbb37d413f40f3b0f3f07d17c0f90f2fae9e17

    SHA512

    c17b0236293978528be78925daab4a060ca226a57c33a21a640513ae380ee53704917056467eef2cf78102fd22f31dad4527d5eacdf8b4a720a4ea25a2dbab83

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMB42D.exe
    Filesize

    14KB

    MD5

    2e31e6670c4490e5a5eeaea27b24db6c

    SHA1

    e14756868e0a9c23176b5bbb769546bc0c9c506d

    SHA256

    72ce77194a689cd69e32fdd18b39aec7edc9a7cec4eae2b691d615f19d4ae04b

    SHA512

    3119bbd87f92bcf141deadd69a6f626ef75423a5f9be1ceb2f96406bcbd1cdc77b0ba865c273346b6a4fe4116cffdec98a5cc899d26c32653bd2e006bc59dba2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMB6D8.exe
    Filesize

    14KB

    MD5

    6dcd2e1f560bbb8f8935f4af3fd0db07

    SHA1

    c74710bb9298f7080ad9c5a9372151ba830c0fd5

    SHA256

    e936ed40f4176fee35432b4178fa20ab470630daaee245854dce3972a8004f29

    SHA512

    7cfd703aa3f3543c9970d727365e2c6ab2c94e97945787d15a31f1c55d46d65d33573e08d213987b244a81a0b7488968569b35719ae279cf5cff92ffab50701e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMCD7.exe
    Filesize

    14KB

    MD5

    4d07f95b7e4585f28782e36d440f4879

    SHA1

    da9c88e2e071f2a896755d89ab30d94affc8bad0

    SHA256

    15148633144e7459c19e868bcd63ae86bcbcd63dbc6b8d7cc8d0020b7f2406c2

    SHA512

    f8f0c2233fa6fa6cac9dea193e3806e5899d4487d2d04c7d9809f026487860feac30da93edbc30e1aaed6503a6a7c2228537a346b2755dc031cbab94ee898a1f

    Download Submit