Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/09/2024, 18:56
Static task
static1
Behavioral task
behavioral1
Sample
165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe
Resource
win10v2004-20240802-en
General
-
Target
165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe
-
Size
2.7MB
-
MD5
6803679e27fec0fbbc90ad4d1c847b60
-
SHA1
4bcc7562edd3119175cbdbc34ab7f9b0635fcf3e
-
SHA256
165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c
-
SHA512
64c2dc052f662869021192199cccc61919a1baaa57fd08b4a25ac7e181f1f73b64ffc0fb38e468b7567f8e0d88194f080b2fc766b96a1cb219e4f9d7167e49bd
-
SSDEEP
49152:9ayT+P66XbOP/ZzA2DItg1Hoaz6wecYfFkURwlhyAuLjf/IVgs5+xP:bTE66yXZ02DwUHoazRofxIhELjf/IVgs
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation 165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe -
Executes dropped EXE 1 IoCs
pid Process 2724 Eolanda Bunnie.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4200 2724 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eolanda Bunnie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3284 cmd.exe 2920 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2920 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 5040 165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe 5040 165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe 2724 Eolanda Bunnie.exe 2724 Eolanda Bunnie.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 5040 165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe Token: SeIncBasePriorityPrivilege 5040 165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe Token: SeDebugPrivilege 2724 Eolanda Bunnie.exe Token: SeIncBasePriorityPrivilege 2724 Eolanda Bunnie.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 5040 wrote to memory of 2724 5040 165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe 83 PID 5040 wrote to memory of 2724 5040 165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe 83 PID 5040 wrote to memory of 2724 5040 165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe 83 PID 5040 wrote to memory of 3284 5040 165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe 84 PID 5040 wrote to memory of 3284 5040 165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe 84 PID 5040 wrote to memory of 3284 5040 165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe 84 PID 3284 wrote to memory of 2920 3284 cmd.exe 86 PID 3284 wrote to memory of 2920 3284 cmd.exe 86 PID 3284 wrote to memory of 2920 3284 cmd.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe"C:\Users\Admin\AppData\Local\Temp\165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\Eolanda Bunnie.exe"C:\Users\Admin\AppData\Local\Temp\Eolanda Bunnie.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 15723⤵
- Program crash
PID:4200
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\165c2d7225dbbfe981b38f77ff1c3c1efe6ff8f84a8bb59b209f0a4dcebcfd4c.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2920
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2724 -ip 27241⤵PID:2464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD559f0a677677af3d3b6953d0989124e07
SHA19889a7ec7dcf8d40c35ec5562e2ecdee18bf3b63
SHA256da7c443ef7c76c28a5b2a073ac4a185d2d83c80065b4d392ff399076903c8454
SHA51252a4b188d2346c496e188cf26e1f6f7f5f79e19e20007bedb6219d89c7142300bb4cbc1bf54772e5775cc0f45dd7d2fa503495cc289adfbfa961b86c47f2d009
-
Filesize
2.7MB
MD5343b54e44945a3ecd45623664b977a48
SHA1b0b65341cd9d37d3f6f6ba8bb5dad04bf76845d5
SHA256dae6a795c2c0479e236319c5309d688196a19e7047a5eb1835c3790f855574eb
SHA512ed0691b19c570ac9a0c4619488a166b4ed02b1d697e0b67bf64b9c366c932104bdd6fe273e3778a82981f389d8f10c87bbde54f7a92ed038c288e802217729f2