Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
96s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12/09/2024, 22:58
Static task
static1
Behavioral task
behavioral1
Sample
3ed0027cc70689f8c49d21130e910300N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
3ed0027cc70689f8c49d21130e910300N.exe
Resource
win10v2004-20240802-en
General
-
Target
3ed0027cc70689f8c49d21130e910300N.exe
-
Size
44KB
-
MD5
3ed0027cc70689f8c49d21130e910300
-
SHA1
96a0540b72de096dbbc1e34cb7b74e37afc5d8f4
-
SHA256
5feeb263237809d64b91fdda88da145df7ae325a982b85f26428924aba383b0b
-
SHA512
d3d4cba9a8bc9eab1503bc549cff396b24a04903fff7b402fce48848dc1d22a0db7c5c6ca2f30d015cda578f90d84ad6772b7b9041065172dfa83547a35ff72d
-
SSDEEP
768:XYqTTIINYPjrxIF0GKZ15f8TeCA4SR/sAxSTKDTho00LEqDnc9W5QE:XYcNY0KZrtBxSTKRo0gEEc9W5QE
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation 3ed0027cc70689f8c49d21130e910300N.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation ffengh.exe -
Executes dropped EXE 1 IoCs
pid Process 4916 ffengh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ed0027cc70689f8c49d21130e910300N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffengh.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1008 wrote to memory of 4916 1008 3ed0027cc70689f8c49d21130e910300N.exe 83 PID 1008 wrote to memory of 4916 1008 3ed0027cc70689f8c49d21130e910300N.exe 83 PID 1008 wrote to memory of 4916 1008 3ed0027cc70689f8c49d21130e910300N.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ed0027cc70689f8c49d21130e910300N.exe"C:\Users\Admin\AppData\Local\Temp\3ed0027cc70689f8c49d21130e910300N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\ffengh.exe"C:\Users\Admin\AppData\Local\Temp\ffengh.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4916
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD5183e5c13075e9dc47e6ee821a54fe721
SHA1f4e022bd47642c9104a15b4645ad3a6c66775490
SHA2564e25e0f4694e130f499977284361cd4667db14845d6bf6e13c6e0ec6321eb7b5
SHA5124619d255d5ef7ae66c9e49a8dc66393000b12e42531056f88e219b130a3ef362bd2c7baeeba7adb51bae181342c37bf4df2127baa9e4a33a5440f6771dda5162