Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    93s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/09/2024, 08:01

General

  • Target

    install_check/check_meta.exe

  • Size

    89KB

  • MD5

    154d4585534f8f8dfde2275f4dd2bb06

  • SHA1

    9510340a04b94f53681851424a67cd9530081c50

  • SHA256

    06e4874e142b3c5a6891b7476cf6932be27497139fef536ae0da61723a53c5f0

  • SHA512

    9daa4c336bab9825eba50942432d5592ac755540a7a56bafe4459fe62b7317866111b3b29c4704e426d5a39c8deba77eca2d3a5c5113155f28420816a5d81101

  • SSDEEP

    1536:I87ftfkS5g9YOms+gZcQipICdXkNDqLLZX9lItVGL++eIOlnToIfSwrO2:ISFfHgTWmCRkGbKGLeNTBfS0

Score
3/10

Malware Config

Signatures

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Connections Discovery 1 TTPs 2 IoCs

    Attempt to get a listing of network connections.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\install_check\check_meta.exe
    "C:\Users\Admin\AppData\Local\Temp\install_check\check_meta.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:784
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\73E8.tmp\73E9.tmp\73EA.bat C:\Users\Admin\AppData\Local\Temp\install_check\check_meta.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c netstat -ano | findstr 10100
        3⤵
        • System Network Connections Discovery
        • Suspicious use of WriteProcessMemory
        PID:2280
        • C:\Windows\system32\NETSTAT.EXE
          netstat -ano
          4⤵
          • System Network Connections Discovery
          • Gathers network information
          • Suspicious use of AdjustPrivilegeToken
          PID:2860
        • C:\Windows\system32\findstr.exe
          findstr 10100
          4⤵
            PID:1616

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\73E8.tmp\73E9.tmp\73EA.bat

      Filesize

      399B

      MD5

      a7c949c451cb9ccbd27dfec42aa17a01

      SHA1

      7ddb28b45060b2726f1b0bb003b329dc923b0e59

      SHA256

      668383a4c8513eaf7ad526b3efc54f7f73f5f42b3762633f817ab3da86e8d47d

      SHA512

      5001701b87b7379e5634c8fb928fcd436061d6c4e2ad738c320169f62786dbfdb604f90e7edd8f5954c7117707829be3d0f65d863a849f1acfe513f27735d1e0