Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08/09/2024, 23:04
Static task
static1
Behavioral task
behavioral1
Sample
e4b35a4db8ac1d6237a5d8e43940c670N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e4b35a4db8ac1d6237a5d8e43940c670N.exe
Resource
win10v2004-20240802-en
General
-
Target
e4b35a4db8ac1d6237a5d8e43940c670N.exe
-
Size
463KB
-
MD5
e4b35a4db8ac1d6237a5d8e43940c670
-
SHA1
a3f96d0bd462f173d1a66c18b356a4dff026bb2c
-
SHA256
7a0fd5b18243f89e7593ce6586543abfad775939120e368994342e982d2eb4fe
-
SHA512
bbc53863082ae1bbc21fc9c8c7dccc544b8052240b35ad6011ac8234edad76e0fd12475e80a59a726b6c406c20d0e06c83b45a3ac7e2973c81c7089cd6f1f33f
-
SSDEEP
6144:6SkWcDpi78KSrafqV5areuyFwBqgmGNGXN/O8OCLGzVUPtud7WHDUJVpCMZCWfGH:6Slc87eqqV5e+wBV6O+Kz8ty7hZLLfG
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1540 esenstsc.exe 1984 dxdivr32.exe 2368 ~809A.tmp -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\findPING = "C:\\Users\\Admin\\AppData\\Roaming\\atinit\\esenstsc.exe" e4b35a4db8ac1d6237a5d8e43940c670N.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\dxdivr32.exe e4b35a4db8ac1d6237a5d8e43940c670N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e4b35a4db8ac1d6237a5d8e43940c670N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language esenstsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dxdivr32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1540 esenstsc.exe 1540 esenstsc.exe 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE 3584 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1540 esenstsc.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3584 Explorer.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1344 wrote to memory of 1540 1344 e4b35a4db8ac1d6237a5d8e43940c670N.exe 87 PID 1344 wrote to memory of 1540 1344 e4b35a4db8ac1d6237a5d8e43940c670N.exe 87 PID 1344 wrote to memory of 1540 1344 e4b35a4db8ac1d6237a5d8e43940c670N.exe 87 PID 1540 wrote to memory of 2368 1540 esenstsc.exe 89 PID 1540 wrote to memory of 2368 1540 esenstsc.exe 89 PID 2368 wrote to memory of 3584 2368 ~809A.tmp 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:3584 -
C:\Users\Admin\AppData\Local\Temp\e4b35a4db8ac1d6237a5d8e43940c670N.exe"C:\Users\Admin\AppData\Local\Temp\e4b35a4db8ac1d6237a5d8e43940c670N.exe"2⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Users\Admin\AppData\Roaming\atinit\esenstsc.exe"C:\Users\Admin\AppData\Roaming\atinit"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\~809A.tmp3584 474632 1540 14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368
-
-
-
-
C:\Windows\SysWOW64\dxdivr32.exeC:\Windows\SysWOW64\dxdivr32.exe -s1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1984
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD586dc243576cf5c7445451af37631eea9
SHA199a81c47c4c02f32c0ab456bfa23c306c7a09bf9
SHA25625d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a
SHA512c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4
-
Filesize
463KB
MD53b67a2dc3750404746d757e3938158e7
SHA12dd000e418aefbab80227aa0a3aceb39fe847af8
SHA256905ca6affee2e24a9bf2e318e009c0e6b184d2967e8209faf3e4354e52af6154
SHA51210fe03f8e3db7b399bcfe2bcbcb9274ab50218345312458c7f4715298b4a27c30a9cdb746735643e9ced9a722145596ecce828bd3ff5f352e4476135f4581f39