Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/09/2024, 00:44
Static task
static1
Behavioral task
behavioral1
Sample
29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe
Resource
win10v2004-20240802-en
General
-
Target
29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe
-
Size
16KB
-
MD5
7dd7190f83497758e3b7ca572c20b94b
-
SHA1
bb9a93567d04e2df6365ba8f9f67044ba8941644
-
SHA256
29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714
-
SHA512
9398bf3decf0a6f899ada503069e060f03df682b43f4ac56830fed8e63056253d59f94648448076857a0163739d26218dd53b5298e8a52143aa6f2cee8017ea6
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY8iNJ:hDXWipuE+K3/SSHgxm8iNJ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation DEMF066.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation 29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation DEM9683.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation DEMED2F.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation DEM43CA.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation DEM9A18.exe -
Executes dropped EXE 6 IoCs
pid Process 2264 DEM9683.exe 4052 DEMED2F.exe 2976 DEM43CA.exe 3460 DEM9A18.exe 4868 DEMF066.exe 4904 DEM46F2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM43CA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM9A18.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMF066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM46F2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM9683.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMED2F.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2396 wrote to memory of 2264 2396 29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe 93 PID 2396 wrote to memory of 2264 2396 29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe 93 PID 2396 wrote to memory of 2264 2396 29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe 93 PID 2264 wrote to memory of 4052 2264 DEM9683.exe 97 PID 2264 wrote to memory of 4052 2264 DEM9683.exe 97 PID 2264 wrote to memory of 4052 2264 DEM9683.exe 97 PID 4052 wrote to memory of 2976 4052 DEMED2F.exe 99 PID 4052 wrote to memory of 2976 4052 DEMED2F.exe 99 PID 4052 wrote to memory of 2976 4052 DEMED2F.exe 99 PID 2976 wrote to memory of 3460 2976 DEM43CA.exe 101 PID 2976 wrote to memory of 3460 2976 DEM43CA.exe 101 PID 2976 wrote to memory of 3460 2976 DEM43CA.exe 101 PID 3460 wrote to memory of 4868 3460 DEM9A18.exe 103 PID 3460 wrote to memory of 4868 3460 DEM9A18.exe 103 PID 3460 wrote to memory of 4868 3460 DEM9A18.exe 103 PID 4868 wrote to memory of 4904 4868 DEMF066.exe 105 PID 4868 wrote to memory of 4904 4868 DEMF066.exe 105 PID 4868 wrote to memory of 4904 4868 DEMF066.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe"C:\Users\Admin\AppData\Local\Temp\29218d5569a596ca4f813ef84103d12233bf8ff3bd1daea861e1e08684e45714.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\DEM9683.exe"C:\Users\Admin\AppData\Local\Temp\DEM9683.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\DEMED2F.exe"C:\Users\Admin\AppData\Local\Temp\DEMED2F.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Users\Admin\AppData\Local\Temp\DEM43CA.exe"C:\Users\Admin\AppData\Local\Temp\DEM43CA.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\DEM9A18.exe"C:\Users\Admin\AppData\Local\Temp\DEM9A18.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Users\Admin\AppData\Local\Temp\DEMF066.exe"C:\Users\Admin\AppData\Local\Temp\DEMF066.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Users\Admin\AppData\Local\Temp\DEM46F2.exe"C:\Users\Admin\AppData\Local\Temp\DEM46F2.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4904
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5c014d0072609ca5f7d2f005d988bc391
SHA11113f667886cf85dd59e9c8d6071e22eee38575c
SHA2569a3c6c5ae11788242cffe38753b3e5c0c3e2b7af23ba8ffd321da24a7c4c9c63
SHA512482913a21e6b63ee534f2a1465d5f4f2a4ea0bbe3f73855876d0ac96898b15089055df67add56eb920c58c183f3a4535f1edaa6aae0e0cdbed51d4e34293cc78
-
Filesize
16KB
MD50fb6f91f5ec0f8c3196a827aba24c454
SHA151d49ae4e3ee3ed61f2e394534037379acb9b1ea
SHA256eaf554bc4d42dacf18c32d3c34bb893e0b4d235b7f1bce4f681d6fc3782c742d
SHA512bdaeb12841910c5af30e03213c825ca38dbcff96282627a45bf540484cd4bd5f6fd8a5b8dc1d08a5a88773d9a1ae6ce538c1e0df869d311c5027ba01c94df0c7
-
Filesize
16KB
MD53787296f779e5abb9374157b3861efc5
SHA1731be86e3990ebaaaf0e5fa0b823e1df9def28e4
SHA25615918539d26624c116ba701572a1f33045b654830e2ab7cf5ece4261981eec38
SHA5120df0c320928074e40e469c6435cbb272fda2ea418e62ef4504ffb9ec3356e85ee7f65b6b792b2fff4daf3ef8e7099a56181ec01ca5b41aa1675c4f7271d318eb
-
Filesize
16KB
MD5ec6f12d072d7bfed8c9e2291dd0fe8eb
SHA18f09193ddd5b317a97eef62f923a6718952e3ec2
SHA25640359720ee9ed18a653192055121751d9d9875c65f7b52feddf23247b5ce9a9d
SHA5120fc982c265e9dcde73eb5a4a4a1cf5c1ed284516eda177a4ee68e1ba3ed1caa552194ecd0707c8c67c31836c760e91aa704f7d87f6b79195441bd20c12cdf7be
-
Filesize
16KB
MD575a1dbb44ab911c492c9714f4d33f530
SHA118cfd3e8f84288ff72355e427311a64e60abb780
SHA256f0c5fc02efc39b7d4310c989d763de7926264b764cc97ea01baee078696cacbb
SHA512b90b844d52db74592ab933b608cc64006d3e020664fab8ef99a741da484a1b3a3aab35be8439ea75a9ecc119d14849d3975207d35b27dc57eb6d07efba01a195
-
Filesize
16KB
MD59650e49ccaa84b5e7ffce68b7ae42dfe
SHA1a81b061ceaaaa5f34ad5596a48924dfa78356d5c
SHA256864872dd4de3c7c7d762c85b28c7e1cbb9525b914ebb531a5ce8529d0be93842
SHA51279a730aff38546e0ae71efdbecc6330e90e8270af4762c32adae4fb17f6614958577566665e6fcb42be97285273039c2291178081eacbb2fa6c664d11d28977f