Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3install_ch...rl.exe
windows7-x64
3install_ch...rl.exe
windows10-2004-x64
7install_ch...db.exe
windows7-x64
3install_ch...db.exe
windows10-2004-x64
3install_ch...dk.exe
windows7-x64
3install_ch...dk.exe
windows10-2004-x64
3install_ch...ta.exe
windows7-x64
3install_ch...ta.exe
windows10-2004-x64
3restart.exe
windows7-x64
3restart.exe
windows10-2004-x64
7startup.exe
windows7-x64
3startup.exe
windows10-2004-x64
3stop.exe
windows7-x64
3stop.exe
windows10-2004-x64
7Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13/09/2024, 08:01
Static task
static1
Behavioral task
behavioral1
Sample
install_check/check_curl.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
install_check/check_curl.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
install_check/check_db.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
install_check/check_db.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
install_check/check_jdk.exe
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
install_check/check_jdk.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
install_check/check_meta.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
install_check/check_meta.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
restart.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
restart.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
startup.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
startup.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
stop.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
stop.exe
Resource
win10v2004-20240802-en
General
-
Target
install_check/check_curl.exe
-
Size
89KB
-
MD5
2f2f73335394b46636755905fcea2cc9
-
SHA1
5de63f89b0ad2c454574c86f60f49bfa79e80d0c
-
SHA256
fd0dd71d6e2354d620f902c6b1a0ef7178d116fd9ec1463a690ae2dae454c2a6
-
SHA512
a047cf969eac47b930740b665f48e4d367ee88195142c386d5621a094b7afd3eb97ec85df7a2f8f2ac027da88718f29e02abde29f6fbbc7fbeda05565028eb6a
-
SSDEEP
1536:rX7ftfkS5g9YOms+gZcQipICdXkNDqLLZX9lItVGL++eIOlnToIfRwy+O8:rLFfHgTWmCRkGbKGLeNTBfR0
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation mshta.exe -
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
pid Process 4252 mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language check_curl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language check_curl.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2912 wrote to memory of 4768 2912 check_curl.exe 84 PID 2912 wrote to memory of 4768 2912 check_curl.exe 84 PID 4768 wrote to memory of 4252 4768 cmd.exe 86 PID 4768 wrote to memory of 4252 4768 cmd.exe 86 PID 4252 wrote to memory of 4360 4252 mshta.exe 88 PID 4252 wrote to memory of 4360 4252 mshta.exe 88 PID 4360 wrote to memory of 4864 4360 cmd.exe 90 PID 4360 wrote to memory of 4864 4360 cmd.exe 90 PID 4360 wrote to memory of 4864 4360 cmd.exe 90 PID 4864 wrote to memory of 2572 4864 check_curl.exe 91 PID 4864 wrote to memory of 2572 4864 check_curl.exe 91 PID 2572 wrote to memory of 4816 2572 cmd.exe 92 PID 2572 wrote to memory of 4816 2572 cmd.exe 92 PID 2572 wrote to memory of 880 2572 cmd.exe 93 PID 2572 wrote to memory of 880 2572 cmd.exe 93 PID 880 wrote to memory of 3544 880 cmd.exe 94 PID 880 wrote to memory of 3544 880 cmd.exe 94 PID 880 wrote to memory of 2956 880 cmd.exe 95 PID 880 wrote to memory of 2956 880 cmd.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\install_check\check_curl.exe"C:\Users\Admin\AppData\Local\Temp\install_check\check_curl.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8230.tmp\8231.tmp\8232.bat C:\Users\Admin\AppData\Local\Temp\install_check\check_curl.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\system32\mshta.exemshta vbscript:CreateObject("Shell.Application").ShellExecute("cmd.exe","/c C:\Users\Admin\AppData\Local\Temp\INSTAL~1\CHECK_~1.EXE ::","","runas",0)(window.close)3⤵
- Checks computer location settings
- Access Token Manipulation: Create Process with Token
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\INSTAL~1\CHECK_~1.EXE ::4⤵
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Users\Admin\AppData\Local\Temp\INSTAL~1\check_curl.exeC:\Users\Admin\AppData\Local\Temp\INSTAL~1\CHECK_~1.EXE ::5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8405.tmp\8406.tmp\8407.bat C:\Users\Admin\AppData\Local\Temp\INSTAL~1\check_curl.exe ::"6⤵
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\system32\curl.execurl -V7⤵PID:4816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir /a-d|find "temp"7⤵
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" dir /a-d"8⤵PID:3544
-
-
C:\Windows\system32\find.exefind "temp"8⤵PID:2956
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
721B
MD547b37a734ad6b4e35a4461a40616c0e8
SHA1991fc8f8382b0a2b214419ab6f25d59b06fe3c52
SHA256a1c96a7c5f25e7c1ee323e5c345db68473fa53a497a876a6510cbe6b135c974d
SHA51271e5968bb300e38d35f6ce203552ae70be5682df6c4442e53dd531dfa6500f817d4912df33d36fa132b12f29c2ff3601fec1fe2308e0c990b685f914d227ba85