Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

869c9b5dfb...0N.exe

windows7-x64

7

869c9b5dfb...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/09/2024, 12:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    869c9b5dfb6aaa3188ced5e4481aedd0N.exe

  • Size

    832KB

  • MD5

    869c9b5dfb6aaa3188ced5e4481aedd0

  • SHA1

    b6ff0ce27fa0fca90310b37f5be026ffd48b76f7

  • SHA256

    03eb8f344a9cfb16bafcf617b5babb96fc228acaa668792a0c0f8b650921abf6

  • SHA512

    f1ca8e7c16f873cb99bf0e8401480771d1a19d72a3c06d3e54390605d92ef65c06c0d2f0cfc6d65c6ba62c4c3b98429bf5a417abbaaaa27babd24a316219a812

  • SSDEEP

    12288:NYIW0p98Oh8P7h8Nw2KJvsQPMe8nCX62qVWTI5yl48pArv8o4HBTVGZJARr:ZW298E8uinvhEveqsT9r

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\869c9b5dfb6aaa3188ced5e4481aedd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\869c9b5dfb6aaa3188ced5e4481aedd0N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Users\Admin\AppData\Local\Temp\9376.tmp
      "C:\Users\Admin\AppData\Local\Temp\9376.tmp" --pingC:\Users\Admin\AppData\Local\Temp\869c9b5dfb6aaa3188ced5e4481aedd0N.exe 9CE970672AA034521E65BEB33460A1FAD12DBCE41DFA3B699A846A92A3589D54FD76C8DE5D692E0F38081C710B8D21D5C3223D69DD39D0E070FF8C01DDC744F3
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Modifies registry class
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:940
      • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\869c9b5dfb6aaa3188ced5e4481aedd0N.docx" /o ""
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:1292

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\869c9b5dfb6aaa3188ced5e4481aedd0N.docx
    Filesize

    21KB

    MD5

    7079891932a64f097abafd233055a1e9

    SHA1

    246d95feafe67689d49a5a4cadba18d3ac1914e5

    SHA256

    c97189b50e5e92be09966d4732b6d61a2e435b2935d60c09989e555ae442e7a1

    SHA512

    6e9ee6427d7cc2474dc634b088cf3f35d06dfb734d2b63fbbc794f4083b4b5754379daff4804bf5024b1b430aa5e50fa6d839d3473ceeed3043d373c85e9862a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\9376.tmp
    Filesize

    832KB

    MD5

    18b342181be945a94dd9ac5eebe7283f

    SHA1

    811622b98d3389c1d36a18308a796daf8cfab04f

    SHA256

    0ef4f1721c270a065a56a47e61dd0f2ca778664e12ad3e6c77cdaa1077efe62a

    SHA512

    bb057f453d39e78cbcbf6302e634cd49fb4e7470323c8296241aef8021480c82513e4fdb26ef1c9c43adc16ec7397a2c79e9aecf4af6e2c6878cf11eb79f4a82

    Download Submit

  • memory/1292-18-0x00007FFCE6F30000-0x00007FFCE7125000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1292-22-0x00007FFCE6F30000-0x00007FFCE7125000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1292-11-0x00007FFCA6FB0000-0x00007FFCA6FC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1292-10-0x00007FFCE6FCD000-0x00007FFCE6FCE000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1292-13-0x00007FFCA6FB0000-0x00007FFCA6FC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1292-14-0x00007FFCA6FB0000-0x00007FFCA6FC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1292-20-0x00007FFCE6F30000-0x00007FFCE7125000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1292-19-0x00007FFCE6F30000-0x00007FFCE7125000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1292-9-0x00007FFCA6FB0000-0x00007FFCA6FC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1292-12-0x00007FFCA6FB0000-0x00007FFCA6FC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1292-21-0x00007FFCE6F30000-0x00007FFCE7125000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1292-23-0x00007FFCA4CB0000-0x00007FFCA4CC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1292-17-0x00007FFCE6F30000-0x00007FFCE7125000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1292-16-0x00007FFCE6F30000-0x00007FFCE7125000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1292-15-0x00007FFCE6F30000-0x00007FFCE7125000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1292-24-0x00007FFCA4CB0000-0x00007FFCA4CC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1292-37-0x00007FFCE6F30000-0x00007FFCE7125000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1292-38-0x00007FFCE6FCD000-0x00007FFCE6FCE000-memory.dmp

    Filesize

    4KB

    Download