Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/09/2024, 12:12
Static task
static1
Behavioral task
behavioral1
Sample
5f067155980d04cc127c4e42a080ec90N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5f067155980d04cc127c4e42a080ec90N.exe
Resource
win10v2004-20240802-en
General
-
Target
5f067155980d04cc127c4e42a080ec90N.exe
-
Size
6.0MB
-
MD5
5f067155980d04cc127c4e42a080ec90
-
SHA1
52ef382a5fb933b1a90c7fd112135c7ab50cc42a
-
SHA256
9d18735cb452e04efc58b0e381ef91fd3d10a66becea79c87a39ef55204bca44
-
SHA512
a2b1c21d70f6333276f59902a985da6f5bdbe2fb6272d3bb5bbf760be1668b8d736b6676f3828eabd7e7d49b1f55621ae4b12e2df2f35ecfcfd0b9f316124fd3
-
SSDEEP
98304:emhd1UryehTrktVGi47vV7wQqZUha5jtSyZIUS:elBTgtVGt7v2QbaZtlir
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4376 65FD.tmp -
Executes dropped EXE 1 IoCs
pid Process 4376 65FD.tmp -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5f067155980d04cc127c4e42a080ec90N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 65FD.tmp -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2476 wrote to memory of 4376 2476 5f067155980d04cc127c4e42a080ec90N.exe 86 PID 2476 wrote to memory of 4376 2476 5f067155980d04cc127c4e42a080ec90N.exe 86 PID 2476 wrote to memory of 4376 2476 5f067155980d04cc127c4e42a080ec90N.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f067155980d04cc127c4e42a080ec90N.exe"C:\Users\Admin\AppData\Local\Temp\5f067155980d04cc127c4e42a080ec90N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Users\Admin\AppData\Local\Temp\65FD.tmp"C:\Users\Admin\AppData\Local\Temp\65FD.tmp" --splashC:\Users\Admin\AppData\Local\Temp\5f067155980d04cc127c4e42a080ec90N.exe 029DB67D168DDCA214E166D3E5AB17799114DBE25BDB33F2765CA77739A32E3E1BC000EDBE98840EF195FE678ECA5DE299CB83C5B05460D509ADB75175BA38882⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4376
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.0MB
MD5acea108a1cdf0264cc072998b08749ce
SHA1bb181565e2ddabc2b8ad655d9db765b2677e9365
SHA256d260a2a2b44ba30eaca9ddb15103d5e55d87bbedea1e32d82e0a7bc2076e2e97
SHA51237adc685e50eb8ab08a8a4f2edd944f5d06deb80d8052855650b611af53dbaacd7aa5cbd7256750e58517a2fd644b3dbf19b7250a4844e1bf9f714df15c41926