Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/09/2024, 08:01

General

  • Target

    install_check/check_curl.exe

  • Size

    89KB

  • MD5

    2f2f73335394b46636755905fcea2cc9

  • SHA1

    5de63f89b0ad2c454574c86f60f49bfa79e80d0c

  • SHA256

    fd0dd71d6e2354d620f902c6b1a0ef7178d116fd9ec1463a690ae2dae454c2a6

  • SHA512

    a047cf969eac47b930740b665f48e4d367ee88195142c386d5621a094b7afd3eb97ec85df7a2f8f2ac027da88718f29e02abde29f6fbbc7fbeda05565028eb6a

  • SSDEEP

    1536:rX7ftfkS5g9YOms+gZcQipICdXkNDqLLZX9lItVGL++eIOlnToIfRwy+O8:rLFfHgTWmCRkGbKGLeNTBfR0

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\install_check\check_curl.exe
    "C:\Users\Admin\AppData\Local\Temp\install_check\check_curl.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2912
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8230.tmp\8231.tmp\8232.bat C:\Users\Admin\AppData\Local\Temp\install_check\check_curl.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4768
      • C:\Windows\system32\mshta.exe
        mshta vbscript:CreateObject("Shell.Application").ShellExecute("cmd.exe","/c C:\Users\Admin\AppData\Local\Temp\INSTAL~1\CHECK_~1.EXE ::","","runas",0)(window.close)
        3⤵
        • Checks computer location settings
        • Access Token Manipulation: Create Process with Token
        • Suspicious use of WriteProcessMemory
        PID:4252
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\INSTAL~1\CHECK_~1.EXE ::
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4360
          • C:\Users\Admin\AppData\Local\Temp\INSTAL~1\check_curl.exe
            C:\Users\Admin\AppData\Local\Temp\INSTAL~1\CHECK_~1.EXE ::
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4864
            • C:\Windows\system32\cmd.exe
              "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8405.tmp\8406.tmp\8407.bat C:\Users\Admin\AppData\Local\Temp\INSTAL~1\check_curl.exe ::"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2572
              • C:\Windows\system32\curl.exe
                curl -V
                7⤵
                  PID:4816
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c dir /a-d|find "temp"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:880
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" dir /a-d"
                    8⤵
                      PID:3544
                    • C:\Windows\system32\find.exe
                      find "temp"
                      8⤵
                        PID:2956

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\8230.tmp\8231.tmp\8232.bat

          Filesize

          721B

          MD5

          47b37a734ad6b4e35a4461a40616c0e8

          SHA1

          991fc8f8382b0a2b214419ab6f25d59b06fe3c52

          SHA256

          a1c96a7c5f25e7c1ee323e5c345db68473fa53a497a876a6510cbe6b135c974d

          SHA512

          71e5968bb300e38d35f6ce203552ae70be5682df6c4442e53dd531dfa6500f817d4912df33d36fa132b12f29c2ff3601fec1fe2308e0c990b685f914d227ba85