Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/09/2024, 20:29
Static task
static1
Behavioral task
behavioral1
Sample
3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe
Resource
win7-20240903-en
General
-
Target
3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe
-
Size
397KB
-
MD5
ecfa84257ab760d56848224f04f45f20
-
SHA1
efacb3a82c7c2d15baa39a6f78217f22ea202547
-
SHA256
3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998
-
SHA512
b9fadbdcf53f8b7a9cfdc9904e5dab1f17ae96a3e328c2c4c6d0ad06077929a259823bc9f7637f6b80acaf1cdf749879cd6081ec4d301e2bd23e9a3bfce206ff
-
SSDEEP
6144:HK/d/9oM0YTX+nNPHmROkpd3CnvegL1zWmK/jJC+J/VlCa:+d/9nTOnNPGRbiegrKrJCoCa
Malware Config
Signatures
-
Disables taskbar notifications via registry modification
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 94.242.250.64 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1672 3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe 1672 3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe 1672 3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe 1672 3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe 1672 3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe 1672 3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe 1672 3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe 1672 3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe 1672 3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe 1672 3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe 1672 3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe 1672 3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1672 3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe Token: SeDebugPrivilege 1672 3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1672 wrote to memory of 3996 1672 3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe 82 PID 1672 wrote to memory of 3996 1672 3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe 82 PID 1672 wrote to memory of 3996 1672 3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe"C:\Users\Admin\AppData\Local\Temp\3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe"C:\Users\Admin\AppData\Local\Temp\3c1ea0fd76d9e3b33309cd6063935e722fea840d3af20a6769f6b6d4f208e998N.exe" keahzcqprijnoqp2⤵
- System Location Discovery: System Language Discovery
PID:3996
-