Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    134s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/09/2024, 02:48

General

  • Target

    6b82c9d405ceab4edf1620c0187af2c2435d938e315fa2b8aa8400733ccd478e.exe

  • Size

    16KB

  • MD5

    3e0bcc9c38930e36788ea27389ef1444

  • SHA1

    376476ca2d4ced8ab1b042edcad88854adfd83eb

  • SHA256

    6b82c9d405ceab4edf1620c0187af2c2435d938e315fa2b8aa8400733ccd478e

  • SHA512

    9bb6a85ea0176e0ed78425e491dc2b56c64a5262bfc9fb800429698836ee3e1643edb4e102018f7014ce61db08882df1d0e7a2ed6be93f21c592411257fe1823

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlgB:hDXWipuE+K3/SSHgxmlC

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b82c9d405ceab4edf1620c0187af2c2435d938e315fa2b8aa8400733ccd478e.exe
    "C:\Users\Admin\AppData\Local\Temp\6b82c9d405ceab4edf1620c0187af2c2435d938e315fa2b8aa8400733ccd478e.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4892
    • C:\Users\Admin\AppData\Local\Temp\DEM5BA8.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM5BA8.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3192
      • C:\Users\Admin\AppData\Local\Temp\DEMB31E.exe
        "C:\Users\Admin\AppData\Local\Temp\DEMB31E.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5072
        • C:\Users\Admin\AppData\Local\Temp\DEMA08.exe
          "C:\Users\Admin\AppData\Local\Temp\DEMA08.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4712
          • C:\Users\Admin\AppData\Local\Temp\DEM6095.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM6095.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3616
            • C:\Users\Admin\AppData\Local\Temp\DEMB75F.exe
              "C:\Users\Admin\AppData\Local\Temp\DEMB75F.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1656
              • C:\Users\Admin\AppData\Local\Temp\DEME69.exe
                "C:\Users\Admin\AppData\Local\Temp\DEME69.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:4128
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4080,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=4076 /prefetch:8
    1⤵
      PID:1596

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\DEM5BA8.exe

      Filesize

      16KB

      MD5

      a0cd9ff37d90e8e4d660b206c503cc07

      SHA1

      28517c0e2201c061846924c64de6131f1d872ed3

      SHA256

      961c338e65d32172dd53824923ac7ee206119d32e66ea900e677ad4f9988b838

      SHA512

      7baaa21399f89ef95ebed687652f992eebddc6d2f4067c1ba54bde25b4c0203f7045e2ef850411fc65dc734895ed27a1c1809c9404bafa53a7d8703a7a6b5f19

    • C:\Users\Admin\AppData\Local\Temp\DEM6095.exe

      Filesize

      16KB

      MD5

      f6602e93da3884943b25606922034ce7

      SHA1

      7fffd0dfdce40f22093e566930bfca0883c4843a

      SHA256

      cedb50933b1eb412ece466fcce77805cb9612fe28e5371445a0a006b3dd5fcd0

      SHA512

      3f80f55cd5ad7486e59e9af0be21a01b7359f4c59a42860113f8516c3c18a3f83ebc2c096f96f65f679df3103280655d767115a799e87d14e7e1ecad69e43620

    • C:\Users\Admin\AppData\Local\Temp\DEMA08.exe

      Filesize

      16KB

      MD5

      302a8091ecfcaad4dd46a7dd4f9c4664

      SHA1

      c3cc6037ed6501758928fc2d3415b2818056a5c5

      SHA256

      de86daa2a226503fba32ca075799692d23e8783961002c3845d63d0219366501

      SHA512

      77f182234894802eadc18acda30828f99919bcf42ee8d0c9c6229fc8462294117d83cecc02e9614cacb767aa1f60c10d1daafb8df5776f3437fd8cf5c7683902

    • C:\Users\Admin\AppData\Local\Temp\DEMB31E.exe

      Filesize

      16KB

      MD5

      dd1f98df1125a9968a6a63ac5dd0fa35

      SHA1

      6c9256ef2cc60412ed9a6a09fcc984eb55343c01

      SHA256

      5ea4692bd4709cef8e29cf85c60996c7b838a80d5117b704aa7ecdc7ad20a0b2

      SHA512

      ecf6e817a00d4b367c8f6d06f0f05f88b5e4467744e1c97d51e09b57ad990de5e277205406e50355d8ade58b55b0e315b0c743c6f5474a67794d73d6df2bcd95

    • C:\Users\Admin\AppData\Local\Temp\DEMB75F.exe

      Filesize

      16KB

      MD5

      d9fa9b7a5da4696e96988dc0c755c2c9

      SHA1

      261c68a1d4198caaf1e6e856b75f12d871eb4968

      SHA256

      f5cc9194769957ccd7064cea2342959833d5b4ce78a84896aa93e30c3e231189

      SHA512

      271c9e2f61e8080cce5ce02c776dabbf0ca2b153ccb216ed05c933df695e089f32730de94b8406e94c2ce55e0f72c473b64d6aee46d85ef3be610c3c04e035bc

    • C:\Users\Admin\AppData\Local\Temp\DEME69.exe

      Filesize

      16KB

      MD5

      b05ea1915d477b17dc2f5efee0335637

      SHA1

      f17123ba6dc777fe691a4684aea9207adcb58e30

      SHA256

      3a8fc592eb61c4a134ffd93f879a3fe86fede3bbaabb52d6104884e2acdf5f56

      SHA512

      9d38eea1de1e2e2cd6c6b1c14758e5640f8e3b449cb8da671d2a20a88fab37c41e5756f1d6a44873c9fe651d46dc63d06ab3926bf55397fd20481bd4d68d0028