Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11/09/2024, 18:46
Static task
static1
Behavioral task
behavioral1
Sample
e62b87ba4ca60a4acd9b0cc026b5c580N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e62b87ba4ca60a4acd9b0cc026b5c580N.exe
Resource
win10v2004-20240802-en
General
-
Target
e62b87ba4ca60a4acd9b0cc026b5c580N.exe
-
Size
223KB
-
MD5
e62b87ba4ca60a4acd9b0cc026b5c580
-
SHA1
32496b168bf717b5c095cff2a0cc5d3fb062cf99
-
SHA256
65de25d4592677bf18d2ca1fda71800b22e2a97d2a8180bb8c910d2e308025f6
-
SHA512
48f2fac4eeb43878abc6ba4da91ee71ac967b395a7deb9f6f428bde08d64c752c54f0193933979f0378d54dbd2cc3ba1e349b8443d6b02c1d3b9c0e61295b467
-
SSDEEP
1536:0QqX1EEpwljTSWebPmgPB6FVqX+O3m/TkmL4oDHTjCWSpAnE5s:A1UpoqQ+ICakHdSpAnA
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1944 svchost.exe -
Enumerates connected drives 3 TTPs 34 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\E: e62b87ba4ca60a4acd9b0cc026b5c580N.exe File opened (read-only) \??\K: e62b87ba4ca60a4acd9b0cc026b5c580N.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\G: e62b87ba4ca60a4acd9b0cc026b5c580N.exe File opened (read-only) \??\U: e62b87ba4ca60a4acd9b0cc026b5c580N.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\M: e62b87ba4ca60a4acd9b0cc026b5c580N.exe File opened (read-only) \??\N: e62b87ba4ca60a4acd9b0cc026b5c580N.exe File opened (read-only) \??\Q: e62b87ba4ca60a4acd9b0cc026b5c580N.exe File opened (read-only) \??\T: e62b87ba4ca60a4acd9b0cc026b5c580N.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\J: e62b87ba4ca60a4acd9b0cc026b5c580N.exe File opened (read-only) \??\R: e62b87ba4ca60a4acd9b0cc026b5c580N.exe File opened (read-only) \??\V: e62b87ba4ca60a4acd9b0cc026b5c580N.exe File opened (read-only) \??\P: e62b87ba4ca60a4acd9b0cc026b5c580N.exe File opened (read-only) \??\O: e62b87ba4ca60a4acd9b0cc026b5c580N.exe File opened (read-only) \??\S: e62b87ba4ca60a4acd9b0cc026b5c580N.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\H: e62b87ba4ca60a4acd9b0cc026b5c580N.exe File opened (read-only) \??\I: e62b87ba4ca60a4acd9b0cc026b5c580N.exe File opened (read-only) \??\L: e62b87ba4ca60a4acd9b0cc026b5c580N.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\P: svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e62b87ba4ca60a4acd9b0cc026b5c580N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BFWorkFile1007PV e62b87ba4ca60a4acd9b0cc026b5c580N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BFWorkFile1007PV\EFile = "051033066052045073102210051036065140143066100220208170023064164123213087144234067021045232183042096" e62b87ba4ca60a4acd9b0cc026b5c580N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BFWorkFile1007PV\DFile e62b87ba4ca60a4acd9b0cc026b5c580N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BFWorkFile1007PV svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BFWorkFile1007PV\DFile svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 852 e62b87ba4ca60a4acd9b0cc026b5c580N.exe 852 e62b87ba4ca60a4acd9b0cc026b5c580N.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1944 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 852 wrote to memory of 1944 852 e62b87ba4ca60a4acd9b0cc026b5c580N.exe 84 PID 852 wrote to memory of 1944 852 e62b87ba4ca60a4acd9b0cc026b5c580N.exe 84 PID 852 wrote to memory of 1944 852 e62b87ba4ca60a4acd9b0cc026b5c580N.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\e62b87ba4ca60a4acd9b0cc026b5c580N.exe"C:\Users\Admin\AppData\Local\Temp\e62b87ba4ca60a4acd9b0cc026b5c580N.exe"1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Users\svchost.exeC:\Users\svchost.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:1944
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD56275fe651ef7c4d55e095e876b982fcb
SHA1628c11e14b633b2694d0d1eb11db3a4cf7f391e3
SHA256e3201739d952db6fc8ac9e9b01aba00f99ea4af89e0ec48216dc9764e3ed3f6d
SHA5122474f11ca97d92c8386fb020c77c5b0d936cad14bf627acf800d7c3ba0871d7820670a59011b3d60ff8f133847dfa07fcaa231cb7209362c5bfe8b73182dbfc4