Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

c0356144c3...7a.exe

windows7-x64

7

c0356144c3...7a.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/09/2024, 23:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c0356144c38cb5652b21228d74d92cd4ea0ab13dd5cea2a47d4b0d9af273567a.exe

  • Size

    14KB

  • MD5

    916d4798cea5abdb517c3b2626c2548b

  • SHA1

    379d8f375af374b6802fb97f4b89f6cc25724acb

  • SHA256

    c0356144c38cb5652b21228d74d92cd4ea0ab13dd5cea2a47d4b0d9af273567a

  • SHA512

    624206f4cd40405827c4baff881132bd9f3b99849916b15987a447d970adf154c1fc8f563753acbd1543d7bb7f0033bb1067f0f0ba6308d66dd7b77faa39dc5e

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0J0N:hDXWipuE+K3/SSHgx4CN

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c0356144c38cb5652b21228d74d92cd4ea0ab13dd5cea2a47d4b0d9af273567a.exe
    "C:\Users\Admin\AppData\Local\Temp\c0356144c38cb5652b21228d74d92cd4ea0ab13dd5cea2a47d4b0d9af273567a.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3540
    • C:\Users\Admin\AppData\Local\Temp\DEM6B2D.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM6B2D.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4464
      • C:\Users\Admin\AppData\Local\Temp\DEMC16B.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMC16B.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4856
        • C:\Users\Admin\AppData\Local\Temp\DEM178A.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM178A.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4960
          • C:\Users\Admin\AppData\Local\Temp\DEM6D9A.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM6D9A.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3240
            • C:\Users\Admin\AppData\Local\Temp\DEMC38A.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMC38A.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4196
              • C:\Users\Admin\AppData\Local\Temp\DEM19B8.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM19B8.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:2652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM178A.exe
    Filesize

    14KB

    MD5

    a65b3637109beb244a933aacdd527a96

    SHA1

    34dbe6573d7be172f77da67f7fefad718b0716f1

    SHA256

    6df613ade73925df28a8233d436850347c0d23e8748395b9ada437701bffb126

    SHA512

    8039238b68f30f83c6bbf7aa6d158c911eb672f2780f5191dbebe0a6969e9b06cdb1ff036e2d5118a14d6a118c55ae90fcd17f7717d9a7e239247b2bbd25a1d6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM19B8.exe
    Filesize

    14KB

    MD5

    4ab2c6ef9855e6eeed44fcdf0239dd1a

    SHA1

    5a90f5ff45a3803934a6e6e7981c5546aa7ea8ab

    SHA256

    89fbdc3780c127a34d3d4e3015a9cc0dc5ac414caa03047cb4be79bc9bcae888

    SHA512

    1f7376a46a5c0e915f9a10da23b3ba074e48319cdbe2cb94f34e2a3e9c002a5b5f5c0d2e0a0ab6cde2e2e974311308241764587b2dd22184688b649b6bebfb06

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM6B2D.exe
    Filesize

    14KB

    MD5

    dddcb80c27cee7128041b41dd2be17e6

    SHA1

    41fbdea460d74c5a2fabca52c0490ea3517eb4cb

    SHA256

    d3bf9a36b62b0c14f7a3b824d566e66f51df76c03c2be88aec0d185e7f474c2f

    SHA512

    b8903af779ad393bbcd35060277aaf4782ceb78202964ab346c2fdabe896a4dc6423ce0b319fe42790d0d4e201c99d3575df6580c856b8d97a9b2c8f5f78d16e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM6D9A.exe
    Filesize

    14KB

    MD5

    c18ab3358c9a7b05ba9b57b9351458fc

    SHA1

    451d632b434540e510c79b34db5db61a7a0027dc

    SHA256

    4e09e4ce41660467b8cd018f7c79a7cf001be9cda3dee62256e9aeae2789b47c

    SHA512

    bd51cb34fd70afb0aa6e44c2cb244f78f7c12009353dc34986898389dfbaf4ac8c1d72a8a3431a0dcd3b1cbe22e0e23f02893e5a31ae7d85b729de031788ca9a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMC16B.exe
    Filesize

    14KB

    MD5

    8378abe083ea0e1fa08e4ef7a7202e16

    SHA1

    2a3a7b73cdf1426960efc90fcda0e18651635207

    SHA256

    5f260919af3788e9fc4b70d678b78c0f6a24680aa47864f5fb23d78ecff30d89

    SHA512

    d627425f7ed25b08d5c030e69c4a34324d406a800cbf52636692a3b1396285114c0a7097ef5eb16961ed5f3e087c13484ac70282a4a2304b92e6ddd92bd5d926

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMC38A.exe
    Filesize

    14KB

    MD5

    1fe0f7d7b7203ad13051b74645a505cb

    SHA1

    d204aec7d335fa1b0aa5f34472dca5ad376d0f0a

    SHA256

    ea60220cf85afaeb89488e086390b47d0dbcc048f77e4b855034d17149f3c6ee

    SHA512

    06b091f85532d61b9e04a53cd0f2b139ce577545f37a85963e65f0cbbf1618ffeffefe2cb327f9d34b02590d3e5ad4db8c61db2ecdb555df1d6fb7b67a12a5ae

    Download Submit