Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/09/2024, 13:34
Static task
static1
Behavioral task
behavioral1
Sample
488de811f5083dd8749f36134b4c0ef0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
488de811f5083dd8749f36134b4c0ef0N.exe
Resource
win10v2004-20240802-en
General
-
Target
488de811f5083dd8749f36134b4c0ef0N.exe
-
Size
181KB
-
MD5
488de811f5083dd8749f36134b4c0ef0
-
SHA1
2fec92075a163da5a811e0cbbc082eaeace06ba6
-
SHA256
a46a95e3cb849b46d87d99a87aa86795938262026620e24fe4407b676ef0126e
-
SHA512
c81c9623b4ddf974e12072d7fe66520023b9cfffc91d673420d0f9206dd200db8683b0af2df3e4b9520f520043286f88ce00a03fece36472da9f895bf60f1e72
-
SSDEEP
3072:gSUbxauaFNfQKPu+qxR/KpcT0qDn8mpKmNxMCZUjNsiUoz6Kcbhep1Lk7WbgV8W:gSGxhaFFQfxUPun8OCCZUjig8bh7KbgZ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4172 uninst1.exe -
Loads dropped DLL 6 IoCs
pid Process 3436 488de811f5083dd8749f36134b4c0ef0N.exe 3436 488de811f5083dd8749f36134b4c0ef0N.exe 3436 488de811f5083dd8749f36134b4c0ef0N.exe 4172 uninst1.exe 4172 uninst1.exe 4172 uninst1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 488de811f5083dd8749f36134b4c0ef0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uninst1.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3436 wrote to memory of 4172 3436 488de811f5083dd8749f36134b4c0ef0N.exe 83 PID 3436 wrote to memory of 4172 3436 488de811f5083dd8749f36134b4c0ef0N.exe 83 PID 3436 wrote to memory of 4172 3436 488de811f5083dd8749f36134b4c0ef0N.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\488de811f5083dd8749f36134b4c0ef0N.exe"C:\Users\Admin\AppData\Local\Temp\488de811f5083dd8749f36134b4c0ef0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Users\Admin\AppData\Local\Temp\uninst1.exeC:\Users\Admin\AppData\Local\Temp\uninst1.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4172
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD530439e079a3d603c461d2c2f4f8cb064
SHA1aaf470f6bd8deadedbc31adf17035041176c6134
SHA256d6d0535175fb2302e5b5a498119823c37f6bddff4ab24f551aa7e038c343077a
SHA512607a81be02bde679aff45770e2fd5c2471d64439fdb23c3e494aed98970131e5d677e1eba3b7b36fca5b8d5b99580856bb8cf1806139c9f73693afb512126b9e
-
Filesize
20KB
MD58f52a9ef3560a691b21ceba516d4be0b
SHA14caccff6d4640662456b6573dc7f2210945a0d25
SHA25688d106dc07a1e27240603b18ff341eb4aa98ea89e52549f8c1e02c1f0d94bcd1
SHA5126364ce682d13f4567c2e03450b1f07fd6327773e87ab190b0881d135185b208ad38f1e74b70ae65e14b2920c5482dffbc533e6df6a075fa7f844b10e0f6b4eaf
-
Filesize
181KB
MD5a4ecf8cefac3c799a8ad472da5df657a
SHA1fb6d3bafab8ba39a453881b12a533d041e94ae54
SHA256d440dcf8ff0a063b06dd581085efaeda45479b10614ca553035129207d3ef438
SHA5120bc3d7dd5669031738b806e8efc46c7142246ab5607ad6fae07d984bb419b2e89b7aed5417ecfe913d8d49b9a58f078962ae7cbacacc1b329721c2fc0de76420