Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

29218d5569...14.exe

windows7-x64

7

29218d5569...14.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/09/2024, 00:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe

  • Size

    16KB

  • MD5

    7dd7190f83497758e3b7ca572c20b94b

  • SHA1

    bb9a93567d04e2df6365ba8f9f67044ba8941644

  • SHA256

    29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714

  • SHA512

    9398bf3decf0a6f899ada503069e060f03df682b43f4ac56830fed8e63056253d59f94648448076857a0163739d26218dd53b5298e8a52143aa6f2cee8017ea6

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY8iNJ:hDXWipuE+K3/SSHgxm8iNJ

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe
    "C:\Users\Admin\AppData\Local\Temp\29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Users\Admin\AppData\Local\Temp\DEM9683.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM9683.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2264
      • C:\Users\Admin\AppData\Local\Temp\DEMED2F.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMED2F.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4052
        • C:\Users\Admin\AppData\Local\Temp\DEM43CA.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM43CA.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2976
          • C:\Users\Admin\AppData\Local\Temp\DEM9A18.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM9A18.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3460
            • C:\Users\Admin\AppData\Local\Temp\DEMF066.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMF066.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4868
              • C:\Users\Admin\AppData\Local\Temp\DEM46F2.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM46F2.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:4904

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM43CA.exe
    Filesize

    16KB

    MD5

    c014d0072609ca5f7d2f005d988bc391

    SHA1

    1113f667886cf85dd59e9c8d6071e22eee38575c

    SHA256

    9a3c6c5ae11788242cffe38753b3e5c0c3e2b7af23ba8ffd321da24a7c4c9c63

    SHA512

    482913a21e6b63ee534f2a1465d5f4f2a4ea0bbe3f73855876d0ac96898b15089055df67add56eb920c58c183f3a4535f1edaa6aae0e0cdbed51d4e34293cc78

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM46F2.exe
    Filesize

    16KB

    MD5

    0fb6f91f5ec0f8c3196a827aba24c454

    SHA1

    51d49ae4e3ee3ed61f2e394534037379acb9b1ea

    SHA256

    eaf554bc4d42dacf18c32d3c34bb893e0b4d235b7f1bce4f681d6fc3782c742d

    SHA512

    bdaeb12841910c5af30e03213c825ca38dbcff96282627a45bf540484cd4bd5f6fd8a5b8dc1d08a5a88773d9a1ae6ce538c1e0df869d311c5027ba01c94df0c7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM9683.exe
    Filesize

    16KB

    MD5

    3787296f779e5abb9374157b3861efc5

    SHA1

    731be86e3990ebaaaf0e5fa0b823e1df9def28e4

    SHA256

    15918539d26624c116ba701572a1f33045b654830e2ab7cf5ece4261981eec38

    SHA512

    0df0c320928074e40e469c6435cbb272fda2ea418e62ef4504ffb9ec3356e85ee7f65b6b792b2fff4daf3ef8e7099a56181ec01ca5b41aa1675c4f7271d318eb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEM9A18.exe
    Filesize

    16KB

    MD5

    ec6f12d072d7bfed8c9e2291dd0fe8eb

    SHA1

    8f09193ddd5b317a97eef62f923a6718952e3ec2

    SHA256

    40359720ee9ed18a653192055121751d9d9875c65f7b52feddf23247b5ce9a9d

    SHA512

    0fc982c265e9dcde73eb5a4a4a1cf5c1ed284516eda177a4ee68e1ba3ed1caa552194ecd0707c8c67c31836c760e91aa704f7d87f6b79195441bd20c12cdf7be

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMED2F.exe
    Filesize

    16KB

    MD5

    75a1dbb44ab911c492c9714f4d33f530

    SHA1

    18cfd3e8f84288ff72355e427311a64e60abb780

    SHA256

    f0c5fc02efc39b7d4310c989d763de7926264b764cc97ea01baee078696cacbb

    SHA512

    b90b844d52db74592ab933b608cc64006d3e020664fab8ef99a741da484a1b3a3aab35be8439ea75a9ecc119d14849d3975207d35b27dc57eb6d07efba01a195

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DEMF066.exe
    Filesize

    16KB

    MD5

    9650e49ccaa84b5e7ffce68b7ae42dfe

    SHA1

    a81b061ceaaaa5f34ad5596a48924dfa78356d5c

    SHA256

    864872dd4de3c7c7d762c85b28c7e1cbb9525b914ebb531a5ce8529d0be93842

    SHA512

    79a730aff38546e0ae71efdbecc6330e90e8270af4762c32adae4fb17f6614958577566665e6fcb42be97285273039c2291178081eacbb2fa6c664d11d28977f

    Download Submit