Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03/09/2024, 17:37
Static task
static1
Behavioral task
behavioral1
Sample
f1a00c1e40ad694911babba52eae58de8404b654c7897ff9e176b1e179881097.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f1a00c1e40ad694911babba52eae58de8404b654c7897ff9e176b1e179881097.exe
Resource
win10v2004-20240802-en
General
-
Target
f1a00c1e40ad694911babba52eae58de8404b654c7897ff9e176b1e179881097.exe
-
Size
16KB
-
MD5
016ecdb9876c5124ed326acaebcf76c7
-
SHA1
866ceda0b453db4587f2d9e167ab6218462ca21d
-
SHA256
f1a00c1e40ad694911babba52eae58de8404b654c7897ff9e176b1e179881097
-
SHA512
e489c83ce455c93039be37d873c87a650847f0c635a65cf984d9b177a7898c787200d3c3f5a4621097604b234ce34fa8817fac795fd6b0f2a9d5161493e80aed
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYld:hDXWipuE+K3/SSHgxmld
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation DEM6368.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation DEMB9D5.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation DEMFE4.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation f1a00c1e40ad694911babba52eae58de8404b654c7897ff9e176b1e179881097.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation DEMB5B3.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation DEMD0B.exe -
Executes dropped EXE 6 IoCs
pid Process 1940 DEMB5B3.exe 2532 DEMD0B.exe 4404 DEM6368.exe 1548 DEMB9D5.exe 4908 DEMFE4.exe 4636 DEM6642.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM6642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f1a00c1e40ad694911babba52eae58de8404b654c7897ff9e176b1e179881097.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMB5B3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMD0B.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM6368.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMB9D5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMFE4.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2920 wrote to memory of 1940 2920 f1a00c1e40ad694911babba52eae58de8404b654c7897ff9e176b1e179881097.exe 94 PID 2920 wrote to memory of 1940 2920 f1a00c1e40ad694911babba52eae58de8404b654c7897ff9e176b1e179881097.exe 94 PID 2920 wrote to memory of 1940 2920 f1a00c1e40ad694911babba52eae58de8404b654c7897ff9e176b1e179881097.exe 94 PID 1940 wrote to memory of 2532 1940 DEMB5B3.exe 98 PID 1940 wrote to memory of 2532 1940 DEMB5B3.exe 98 PID 1940 wrote to memory of 2532 1940 DEMB5B3.exe 98 PID 2532 wrote to memory of 4404 2532 DEMD0B.exe 100 PID 2532 wrote to memory of 4404 2532 DEMD0B.exe 100 PID 2532 wrote to memory of 4404 2532 DEMD0B.exe 100 PID 4404 wrote to memory of 1548 4404 DEM6368.exe 102 PID 4404 wrote to memory of 1548 4404 DEM6368.exe 102 PID 4404 wrote to memory of 1548 4404 DEM6368.exe 102 PID 1548 wrote to memory of 4908 1548 DEMB9D5.exe 104 PID 1548 wrote to memory of 4908 1548 DEMB9D5.exe 104 PID 1548 wrote to memory of 4908 1548 DEMB9D5.exe 104 PID 4908 wrote to memory of 4636 4908 DEMFE4.exe 106 PID 4908 wrote to memory of 4636 4908 DEMFE4.exe 106 PID 4908 wrote to memory of 4636 4908 DEMFE4.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1a00c1e40ad694911babba52eae58de8404b654c7897ff9e176b1e179881097.exe"C:\Users\Admin\AppData\Local\Temp\f1a00c1e40ad694911babba52eae58de8404b654c7897ff9e176b1e179881097.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Users\Admin\AppData\Local\Temp\DEMB5B3.exe"C:\Users\Admin\AppData\Local\Temp\DEMB5B3.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\DEMD0B.exe"C:\Users\Admin\AppData\Local\Temp\DEMD0B.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\DEM6368.exe"C:\Users\Admin\AppData\Local\Temp\DEM6368.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Users\Admin\AppData\Local\Temp\DEMB9D5.exe"C:\Users\Admin\AppData\Local\Temp\DEMB9D5.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\DEMFE4.exe"C:\Users\Admin\AppData\Local\Temp\DEMFE4.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Users\Admin\AppData\Local\Temp\DEM6642.exe"C:\Users\Admin\AppData\Local\Temp\DEM6642.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4636
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD52b0a19b7a56e12f277c773981ca63a71
SHA18c25f04a15bf84913448f63fb9b327efc78d9df6
SHA256e632d24184bedc72997ba069d684c66bdf5ce8985deea6194b5b2bfbaa113b5b
SHA51295797e58e2871383a2c85077c53c7bb9bd600be89cf2f2f6742cee2ddf87c1e6bab0cc17898536b7190070db0912fcf531659f5eda51fb0a6d1162b1ed9f21d3
-
Filesize
16KB
MD5abfbc10a123642302ff076df6c5e9515
SHA1bd1b6002cb7cdf839e38bb0e5427d59175a72cce
SHA256b27855270da7179bfe3d2e8a1a9f69f8e45df937bfc8d82353aceb0815a8fc66
SHA512967c5487336a59892bcaa8b676ee1def442f07135edb3a5850922517b6f157ffe35b3fa231abfe8426b89943694d665599b3a9d96875486cc275644a2f9962f8
-
Filesize
16KB
MD51881cc0e5e151a6375893c2d9913ce40
SHA1d755444e17bb21c8c02ac40f177324710337e301
SHA2562ec135547bc00232d80b5efcc32a1064cb6e8a37b1daa4fecfdc6fd2199dc8e7
SHA51246c9b9a6285924a40cc27ee7519e5c8f2a465d8c898fe633463253c29081fefb29c79d306608bdcf7e895e3cb9e3fd6a31ddad5bea7b7237f10d82ba473a63dd
-
Filesize
16KB
MD52c7fce6d275b8f064bb591012348e2f2
SHA160406d4a2452ad53e60292117521abeb6b95c1f8
SHA256aad943ffcc1e9716d2a909891b457c6a71a5a0386ef2e04d14ce1458cbbbbe6f
SHA5124233d82cc7e3cd9005d8eb6ec9277f26755fdefdc68d5fd0f6da5a1a75a082e7fa5e7b4be0ed3aeac96410480de8419bc751437a25b920b5b1667f791a2326b0
-
Filesize
16KB
MD58f673894b2cb94e0d791c824d8825b7a
SHA189ca8d22e5ce26d00fdfe877553805bb04da8717
SHA256ea7374d917e083dba1720d3aea831b922ffcb83bcac822f3922b3fd75f014aad
SHA51246d268fa241cf2884881b83398824a88d16dc77b9f0843d80c2704d34b3ce61b672fe94b91056c743b6bd7afb78e70e3237262538588f967afcf4613c93cb1ca
-
Filesize
16KB
MD5efbe1c9183094fc1168f3d2a8fbbd130
SHA16067af82ce1d9204c46559c859602ad8188af268
SHA256b28da392be0134ea58cdd49c329f9ccae64c63786b5cd5226d0bba6df3c0ddf7
SHA5126bdf1bf277df9816032fb1c4ac6387bf91bb63174d06e77bf740586319e39e91bb31c7f0e0f2956885ac808c4dfe6ae6dd9c3475b73204774409e9dc1ab7cfb1