Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/09/2024, 10:12
Static task
static1
Behavioral task
behavioral1
Sample
fd31eaf21124c3f1128bc62b851b7400N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
fd31eaf21124c3f1128bc62b851b7400N.exe
Resource
win10v2004-20240802-en
General
-
Target
fd31eaf21124c3f1128bc62b851b7400N.exe
-
Size
39KB
-
MD5
fd31eaf21124c3f1128bc62b851b7400
-
SHA1
2dd88c5c2b77758ff6b9d495f0d17dd38a98d89e
-
SHA256
a14123f4907aff417a57d7aa0a54f489b738c6b4aed1b1656db71bdbb336e794
-
SHA512
bfe4d37f071fdcec0fecd4af34cb55288efcc3e45edb4be637d684398fc19a544760b4b9cc612979c349a26e20c18286fbd64aabcd1b26ae0386d6c987ba3993
-
SSDEEP
384:MApc8m4e0LvQac4JI341CNabnkIU0Sq0yDAU:MApQr0LvddJI34nTkIU0Eyn
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation fd31eaf21124c3f1128bc62b851b7400N.exe -
Executes dropped EXE 1 IoCs
pid Process 2912 sal.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\sal.exe fd31eaf21124c3f1128bc62b851b7400N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fd31eaf21124c3f1128bc62b851b7400N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sal.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3412 wrote to memory of 2912 3412 fd31eaf21124c3f1128bc62b851b7400N.exe 91 PID 3412 wrote to memory of 2912 3412 fd31eaf21124c3f1128bc62b851b7400N.exe 91 PID 3412 wrote to memory of 2912 3412 fd31eaf21124c3f1128bc62b851b7400N.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd31eaf21124c3f1128bc62b851b7400N.exe"C:\Users\Admin\AppData\Local\Temp\fd31eaf21124c3f1128bc62b851b7400N.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\windows\SysWOW64\sal.exe"C:\windows\system32\sal.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4208,i,15436195446242760253,4000484513008731869,262144 --variations-seed-version --mojo-platform-channel-handle=4248 /prefetch:81⤵PID:368
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD5bc9937c3862acc948bf237086858e23c
SHA100eda705fd71e4976fb3da9dcc66cc9eb77ae387
SHA256f4d92080fb1da4eed01e3ade9f7fe507f75bc65ca780d37a873f6c36f9d36925
SHA5121f4536859a052fbf4f6c2c3087a2833886664e54ddfa7b97491ef4801dfb9009295aa48a3b2b859166743ed7175fa29e96d94348ca5ae9ef584c9d2eca5dda4d