Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09/09/2024, 07:17
Static task
static1
Behavioral task
behavioral1
Sample
bcfbebe1a2c1e773b77256a0c28eb360N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bcfbebe1a2c1e773b77256a0c28eb360N.exe
Resource
win10v2004-20240802-en
General
-
Target
bcfbebe1a2c1e773b77256a0c28eb360N.exe
-
Size
61KB
-
MD5
bcfbebe1a2c1e773b77256a0c28eb360
-
SHA1
66bbfa1a447c6ea8cdda468a421007fbca37afef
-
SHA256
b452a00b0efa9aaa19d652d3ae095771570674b6310712ec28fca66a6becb490
-
SHA512
7ab689b69406779db1a68b6a3427c99930ee280bd5f2d7a432c0d65f53beb34f647f8ca37c2aa77663d77b23362b34e0286468bbd3f9b4a26bb7a79e1fe279dc
-
SSDEEP
384:PsjPGY2HXgrk8YhQ98E8I1XAV/QcaYpATUgch1A9NB/erxlRufmC9T:PePG5H8+hKD8ISZQjkgs1lxlRAmCJ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation bcfbebe1a2c1e773b77256a0c28eb360N.exe -
Executes dropped EXE 1 IoCs
pid Process 3028 winupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bcfbebe1a2c1e773b77256a0c28eb360N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1724 wrote to memory of 3028 1724 bcfbebe1a2c1e773b77256a0c28eb360N.exe 88 PID 1724 wrote to memory of 3028 1724 bcfbebe1a2c1e773b77256a0c28eb360N.exe 88 PID 1724 wrote to memory of 3028 1724 bcfbebe1a2c1e773b77256a0c28eb360N.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcfbebe1a2c1e773b77256a0c28eb360N.exe"C:\Users\Admin\AppData\Local\Temp\bcfbebe1a2c1e773b77256a0c28eb360N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\winupdate.exe"C:\Users\Admin\AppData\Local\Temp\winupdate.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3028
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD587cd4157e4480dc7954857964259cd7f
SHA1128db999314bf5b4d3e0a7d530c3c1e13e7d9fd6
SHA256a191abd8b4a1e571bf0ada0d2cd6325d430ea4bb4670f6a2fa2301388536780f
SHA5125296b844896192d1cb64373611004555874752f4a640d6cad3407686d9fed0e331c6093e8bfb2de031098720b97f8eff32f7775109b335d78fcf7de5359ad666