Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/09/2024, 05:09

General

  • Target

    95a5f142e06894b1aa80e77f6758d820N.exe

  • Size

    52KB

  • MD5

    95a5f142e06894b1aa80e77f6758d820

  • SHA1

    eac64e4dba0615185ad29ad955c10463cd890948

  • SHA256

    ec78aa16f02bca6012711466c456a4d008ffebacd64b6be020e13bfae6ae1b7f

  • SHA512

    24d2330bfded7e66dd2238942be59cefce852411bf527517f9b34f6c0fab92fdf40d1c57f54d57c3e5d75d400efb8d1b4380cf4e4be0126114e3977af01cd134

  • SSDEEP

    768:/uWn2wgVPe4A7okNPL1jskr/v/m89S3rkC6R+wibw52TzpGh:/SVe4A7xRLNskr3mbkC6R+XpGh

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\95a5f142e06894b1aa80e77f6758d820N.exe
    "C:\Users\Admin\AppData\Local\Temp\95a5f142e06894b1aa80e77f6758d820N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4504
    • C:\Users\Admin\mbvoj.exe
      "C:\Users\Admin\mbvoj.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2440

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\mbvoj.exe

    Filesize

    52KB

    MD5

    3f9c21c1bcd84f649c16d823691ae51a

    SHA1

    78fe33af62d0b195c1586bd85c576018dc06d0b6

    SHA256

    c74f50e6a500a22fcb9e78bd939fac6c2b1fcf7827a0dc89ba4c4bf5af3a45b6

    SHA512

    ebc82cbf06dce73fb096403ffad8316ad7f6a4c8e30603185b9f8bf803075a50dff77b2cc4d4f95b500f5468197ed17ef41b2cafb0b3d1c686cb7a6cf1ffd7ab