Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03/09/2024, 14:45
Static task
static1
Behavioral task
behavioral1
Sample
1c3406506c4cb8b2538e6044f7ec849f0ae13dc088f25b68ca307fa9c26460d6.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1c3406506c4cb8b2538e6044f7ec849f0ae13dc088f25b68ca307fa9c26460d6.exe
Resource
win10v2004-20240802-en
General
-
Target
1c3406506c4cb8b2538e6044f7ec849f0ae13dc088f25b68ca307fa9c26460d6.exe
-
Size
16KB
-
MD5
cc469f137221fe0f88526c416d767d46
-
SHA1
adaf54c0a7d8eec727b7668d01089ff87c9cb744
-
SHA256
1c3406506c4cb8b2538e6044f7ec849f0ae13dc088f25b68ca307fa9c26460d6
-
SHA512
40d355a5e683fb0f534259dcc6e8f8016594aba6b03ff6b29ce75cb8ad5b9a93330637c345e01f821e5336c0e9978d553eb2a87d9fabd787443a5928735aa1f6
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlF:hDXWipuE+K3/SSHgxmlF
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation 1c3406506c4cb8b2538e6044f7ec849f0ae13dc088f25b68ca307fa9c26460d6.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation DEM639C.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation DEMBA47.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation DEM1085.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation DEM66B4.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation DEMBC94.exe -
Executes dropped EXE 6 IoCs
pid Process 1680 DEM639C.exe 3980 DEMBA47.exe 2956 DEM1085.exe 2644 DEM66B4.exe 2964 DEMBC94.exe 3228 DEM1284.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMBC94.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM1284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1c3406506c4cb8b2538e6044f7ec849f0ae13dc088f25b68ca307fa9c26460d6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM639C.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMBA47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM1085.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM66B4.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4640 wrote to memory of 1680 4640 1c3406506c4cb8b2538e6044f7ec849f0ae13dc088f25b68ca307fa9c26460d6.exe 97 PID 4640 wrote to memory of 1680 4640 1c3406506c4cb8b2538e6044f7ec849f0ae13dc088f25b68ca307fa9c26460d6.exe 97 PID 4640 wrote to memory of 1680 4640 1c3406506c4cb8b2538e6044f7ec849f0ae13dc088f25b68ca307fa9c26460d6.exe 97 PID 1680 wrote to memory of 3980 1680 DEM639C.exe 101 PID 1680 wrote to memory of 3980 1680 DEM639C.exe 101 PID 1680 wrote to memory of 3980 1680 DEM639C.exe 101 PID 3980 wrote to memory of 2956 3980 DEMBA47.exe 103 PID 3980 wrote to memory of 2956 3980 DEMBA47.exe 103 PID 3980 wrote to memory of 2956 3980 DEMBA47.exe 103 PID 2956 wrote to memory of 2644 2956 DEM1085.exe 105 PID 2956 wrote to memory of 2644 2956 DEM1085.exe 105 PID 2956 wrote to memory of 2644 2956 DEM1085.exe 105 PID 2644 wrote to memory of 2964 2644 DEM66B4.exe 107 PID 2644 wrote to memory of 2964 2644 DEM66B4.exe 107 PID 2644 wrote to memory of 2964 2644 DEM66B4.exe 107 PID 2964 wrote to memory of 3228 2964 DEMBC94.exe 109 PID 2964 wrote to memory of 3228 2964 DEMBC94.exe 109 PID 2964 wrote to memory of 3228 2964 DEMBC94.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c3406506c4cb8b2538e6044f7ec849f0ae13dc088f25b68ca307fa9c26460d6.exe"C:\Users\Admin\AppData\Local\Temp\1c3406506c4cb8b2538e6044f7ec849f0ae13dc088f25b68ca307fa9c26460d6.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\DEM639C.exe"C:\Users\Admin\AppData\Local\Temp\DEM639C.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\DEMBA47.exe"C:\Users\Admin\AppData\Local\Temp\DEMBA47.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Users\Admin\AppData\Local\Temp\DEM1085.exe"C:\Users\Admin\AppData\Local\Temp\DEM1085.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\DEM66B4.exe"C:\Users\Admin\AppData\Local\Temp\DEM66B4.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Users\Admin\AppData\Local\Temp\DEMBC94.exe"C:\Users\Admin\AppData\Local\Temp\DEMBC94.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\DEM1284.exe"C:\Users\Admin\AppData\Local\Temp\DEM1284.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3228
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD56a52166c75abaed03cf3eb1e5e87ed1d
SHA1e65623685fad3d14f19708caf14d856330fbdeec
SHA2560f6b94409d10eb350a05a7daef2c3f78f90a44cbdf581fc222502189336ccc8c
SHA512de3d72bb93fa16e4e9eca7422619b8736456ab5821f3892c5bc4ea6e3c93eb1168e4dcb66970e9af5d06cc77291f42a4dfa9c94087615dd015e90ff209ea7367
-
Filesize
16KB
MD5ba8b4a40419eaa7e12bb08cefffe5298
SHA1f90a49c63075cd444587fd1d2d59b322e4e92d86
SHA256ddb03306ce80b033c0b900768a0ed21ddb48513e350a85bceb5f1ce6b45edea2
SHA5129d6a2893f2c0025d7a55f1ec6685162677aec362e2de33dcb48f3050b8264a3624f060d0871b3686502ede215e86378f84c36db97f7b8330597684e0666f7d0a
-
Filesize
16KB
MD5cc0f3d0fc27cb5cc66752460fb9070f5
SHA1f605c54777c908e8537c7eddeac359ea9895722e
SHA25698c3c9bc57b09d49fd0c60d9afa050f4ec7d850e827705c5df5d5c9c8cfde918
SHA512900b5d7517ff98ae0b09310ee83928ab23e2e0bf79e5145ce9ac43053aa9845ce3bb5bd2332fd5cedf9e6d0e939fde23f8f4f06905dfdeb7a2c5addc9c1d154d
-
Filesize
16KB
MD56b1dfe6580ed68234db7b84cdba241ea
SHA18c2a0917b6d74f70b56afca88f954183438485c6
SHA256d47c11990d43cbe5c320560c49615e76c833fdff0664408e2d627611bc103bc1
SHA512208670ba7208b8818b830eecbfecdff59ab81679dec875b0e2e4aa00636058d7722cf27465533fe176fb74d3f2dcae36e34912d59a6ea6eeccf098b44f439850
-
Filesize
16KB
MD59323b91d5a749c0e13e2898229cd35ac
SHA11b39346b690de5cdc1d3050cbab3491b319a18b1
SHA25615c5638fabdbddbb9e153b915b9de41719565937be9632a0cc5e7eff1eececb1
SHA51236b4816d60d0c2e5e24b818881d16dd2f574eaac75bed8be1467126b95f0fe852654b47885ac088c08d61557d0080cbf922a59adc2203cd41486fad0a4a6d4a4
-
Filesize
16KB
MD5de3f81cc3fc7509e8805976ab4121ea0
SHA1872bf068935120b872a1b83f55003b73c5857a45
SHA256f882bc70d23d36f0366ae0699eb15c182235639c335cf7db303a8b21c9aa6b1d
SHA51245fffa61bca1783cb557ffcecc2bcab07b4efb36b49ff7a2bb156bb6836b8bad39aad3a4724e867bedb848458c9ee01717b616d4ba0d1c56197a71179c7dac37