Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11/09/2024, 15:36
Static task
static1
Behavioral task
behavioral1
Sample
8cb783ad7005f8df649bd8f875959390N.exe
Resource
win7-20240903-en
General
-
Target
8cb783ad7005f8df649bd8f875959390N.exe
-
Size
4.8MB
-
MD5
8cb783ad7005f8df649bd8f875959390
-
SHA1
8264582fb5e14de0c9eb0ddb564a2bcdb27da235
-
SHA256
bd880ae6f02d3db47e428a65ec1849f0e1754b603b7f88318d30f45acbcc9b72
-
SHA512
deb0bdf8ed556c14e0fa11bd21ab73efa6cfdf08ddf37881a4025d6184a8190dc1d3de4458a952dd8a9eb63351376c90089df5b6bd1771b54732c67a81e7f364
-
SSDEEP
49152:916jZg1DvQtV6sqFefM6xK5u3z+pSV4x9BLZmU6X9KpLbQQ4oda133/9kpr:iji1SBqFebRz+hR
Malware Config
Extracted
lumma
https://cutesliprpepo.shop/api
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2104 created 3432 2104 8cb783ad7005f8df649bd8f875959390N.exe 55 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2104 set thread context of 4564 2104 8cb783ad7005f8df649bd8f875959390N.exe 94 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8cb783ad7005f8df649bd8f875959390N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2104 8cb783ad7005f8df649bd8f875959390N.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2104 8cb783ad7005f8df649bd8f875959390N.exe Token: SeDebugPrivilege 2104 8cb783ad7005f8df649bd8f875959390N.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2104 wrote to memory of 4564 2104 8cb783ad7005f8df649bd8f875959390N.exe 94 PID 2104 wrote to memory of 4564 2104 8cb783ad7005f8df649bd8f875959390N.exe 94 PID 2104 wrote to memory of 4564 2104 8cb783ad7005f8df649bd8f875959390N.exe 94 PID 2104 wrote to memory of 4564 2104 8cb783ad7005f8df649bd8f875959390N.exe 94 PID 2104 wrote to memory of 4564 2104 8cb783ad7005f8df649bd8f875959390N.exe 94 PID 2104 wrote to memory of 4564 2104 8cb783ad7005f8df649bd8f875959390N.exe 94 PID 2104 wrote to memory of 4564 2104 8cb783ad7005f8df649bd8f875959390N.exe 94 PID 2104 wrote to memory of 4564 2104 8cb783ad7005f8df649bd8f875959390N.exe 94 PID 2104 wrote to memory of 4564 2104 8cb783ad7005f8df649bd8f875959390N.exe 94
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3432
-
C:\Users\Admin\AppData\Local\Temp\8cb783ad7005f8df649bd8f875959390N.exe"C:\Users\Admin\AppData\Local\Temp\8cb783ad7005f8df649bd8f875959390N.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"2⤵
- System Location Discovery: System Language Discovery
PID:4564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4508,i,16315016104747277319,5510969007830467313,262144 --variations-seed-version --mojo-platform-channel-handle=4628 /prefetch:81⤵PID:2360