Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/09/2024, 23:47
Static task
static1
Behavioral task
behavioral1
Sample
c4cde42b704d740eaa217beabf9b2e70N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c4cde42b704d740eaa217beabf9b2e70N.exe
Resource
win10v2004-20240802-en
General
-
Target
c4cde42b704d740eaa217beabf9b2e70N.exe
-
Size
428KB
-
MD5
c4cde42b704d740eaa217beabf9b2e70
-
SHA1
4d8c736e437189111b81d7194ae47f56925a0fa5
-
SHA256
89a96b801908c5740644378454ca5d6cff694109967a3c3823e43b00987a8f7e
-
SHA512
99d9c434bb2921251bbf238b976217996f15e19d98f88da4b35bee629a538458e216616b4d89df4ab88cca39713cbd232a64ed6720cf40f60a556c1b4f457fb2
-
SSDEEP
6144:gVdvczEb7GUOpYWhNVynE/mFDKKR79oLuhzxl8RBPBxFcbPRGXT0CO5rqHR:gZLolhNVyEOnWGFlwRubPRiT25rqHR
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4272 7A50.tmp -
Executes dropped EXE 1 IoCs
pid Process 4272 7A50.tmp -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c4cde42b704d740eaa217beabf9b2e70N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7A50.tmp -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4272 7A50.tmp -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4192 wrote to memory of 4272 4192 c4cde42b704d740eaa217beabf9b2e70N.exe 83 PID 4192 wrote to memory of 4272 4192 c4cde42b704d740eaa217beabf9b2e70N.exe 83 PID 4192 wrote to memory of 4272 4192 c4cde42b704d740eaa217beabf9b2e70N.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4cde42b704d740eaa217beabf9b2e70N.exe"C:\Users\Admin\AppData\Local\Temp\c4cde42b704d740eaa217beabf9b2e70N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Users\Admin\AppData\Local\Temp\7A50.tmp"C:\Users\Admin\AppData\Local\Temp\7A50.tmp" --pingC:\Users\Admin\AppData\Local\Temp\c4cde42b704d740eaa217beabf9b2e70N.exe 895A4AE870C2BAA3502215FAA65852241B7012C17FCE8006761ED11B94F63BC6D2B5729D372C14E4C7C27616EF673DF9411EE661B325119A130327FFBF1CFD932⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4272
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
428KB
MD53e21df0efa6d375a3bb0b4115ec09634
SHA149a8c80a45d3de0834e8070ec1478d1af95bc067
SHA2564e2c7ec31b580c77599db87d4ffca6f37b7b3bd8bac90e45e2d34781f1e4dbde
SHA512ab079903045c493d94768d6cefddd798f0a45e7e506bd1af49710aab0496aba15b529fc28f81d883545b9fc5a8b75412145cecbf74196d0bb05f4d32e2a85b50