Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07/09/2024, 08:17
Static task
static1
Behavioral task
behavioral1
Sample
Xfer.Records.Serum.v1.363-TCD.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Xfer.Records.Serum.v1.363-TCD.exe
Resource
win10v2004-20240802-en
General
-
Target
Xfer.Records.Serum.v1.363-TCD.exe
-
Size
194.4MB
-
MD5
022bdfff9aae163cdad8a6592d6f875b
-
SHA1
6e3d3c0d9577f63ad3486301b96da5a078e7998d
-
SHA256
3c276917a800a8c9ad19b82efe50abb88d6105954a5b99f1b1f2f1e6a6b2fb44
-
SHA512
9c6fb958f60bcf8d28e1f2162f6126db64756b08b5759838fe9eb175e1132a8bfc7d502100980ba24e32cc9fdab758e33a6b3ec68add092d13d7c4dd7661b727
-
SSDEEP
3145728:xFouHlx5rcWFlzaNTX8UXQlTQEu1zHZXbob8d4eCHA++JgDSbQ0c0/u/hUVIIng3:xxHP5rhmNB/5obr9AXJkSk00hUmIng44
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4244 Xfer.Records.Serum.v1.363-TCD.tmp -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Xfer.Records.Serum.v1.363-TCD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Xfer.Records.Serum.v1.363-TCD.tmp -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3200 wrote to memory of 4244 3200 Xfer.Records.Serum.v1.363-TCD.exe 87 PID 3200 wrote to memory of 4244 3200 Xfer.Records.Serum.v1.363-TCD.exe 87 PID 3200 wrote to memory of 4244 3200 Xfer.Records.Serum.v1.363-TCD.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\Xfer.Records.Serum.v1.363-TCD.exe"C:\Users\Admin\AppData\Local\Temp\Xfer.Records.Serum.v1.363-TCD.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Users\Admin\AppData\Local\Temp\is-TA6CT.tmp\Xfer.Records.Serum.v1.363-TCD.tmp"C:\Users\Admin\AppData\Local\Temp\is-TA6CT.tmp\Xfer.Records.Serum.v1.363-TCD.tmp" /SL5="$C01CE,202736105,792576,C:\Users\Admin\AppData\Local\Temp\Xfer.Records.Serum.v1.363-TCD.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4244
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5d6767f8e3108c06d646ec46d547c4a43
SHA16e951499919cfaa9bc10abb15690398b4474d688
SHA256d5b52c20cca1be2bff6bc2f7d5c9168082bb9a9c1522cb4a9443174f114b71c7
SHA512b9ee131c71e877e0bf49e6a09504cef3975889cba2ed2056f54165e113d518264c580d1d20e44b9026f8f28ec9181bee7083c6e055891ef5b47244ec5a1d3961