Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13/09/2024, 00:10
Static task
static1
Behavioral task
behavioral1
Sample
a1aa4d985bd9198f051564a81b254e10N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a1aa4d985bd9198f051564a81b254e10N.exe
Resource
win10v2004-20240802-en
General
-
Target
a1aa4d985bd9198f051564a81b254e10N.exe
-
Size
22KB
-
MD5
a1aa4d985bd9198f051564a81b254e10
-
SHA1
1f317e8f47004a614c8e577af8e7e1e8c124a9b8
-
SHA256
a48b56dc04c653e40eca650bec4968df2a7fb4c9ee3eb31102491cbc483cd809
-
SHA512
23fe4b9f62c8d93a56169b0a21d5a6c4cf16a01d2ad7b50a01da79a943fae5ef7a94d4948ee21dc42169646a273472b7179950ba47a5c1ae1350dfc12590a11c
-
SSDEEP
384:+6C5SYpuESCgvATWe64rbbIbOS5O/lg7Vvi3:+6n0Sa+KIySWEvK
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation a1aa4d985bd9198f051564a81b254e10N.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation ffengh.exe -
Executes dropped EXE 1 IoCs
pid Process 1992 ffengh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1aa4d985bd9198f051564a81b254e10N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffengh.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4184 wrote to memory of 1992 4184 a1aa4d985bd9198f051564a81b254e10N.exe 86 PID 4184 wrote to memory of 1992 4184 a1aa4d985bd9198f051564a81b254e10N.exe 86 PID 4184 wrote to memory of 1992 4184 a1aa4d985bd9198f051564a81b254e10N.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1aa4d985bd9198f051564a81b254e10N.exe"C:\Users\Admin\AppData\Local\Temp\a1aa4d985bd9198f051564a81b254e10N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Users\Admin\AppData\Local\Temp\ffengh.exe"C:\Users\Admin\AppData\Local\Temp\ffengh.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1992
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22KB
MD5ca8c436f1fbb0d298ec73d088c4f4bd7
SHA1b8738b5abbc8db3306acb167283e5cdf2a1576a3
SHA256ee29829dc309974702060f6d2affb2c8e02a5e3c25e45243e0a0468e2f449c65
SHA5121f896171418b3319296d32082054cc74f5cf9ce258e2f219cf4b5fc5b8ecb95cd0933888cdddd3e0e9f3e503ea55ac016ef7cd9035183b8bfd8d4a3a699bde69