Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26/09/2024, 03:53
Static task
static1
Behavioral task
behavioral1
Sample
fca06d8a111b6799913d2487f47cbf45cb5f4f89d78165d8621986c563ea0fad.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fca06d8a111b6799913d2487f47cbf45cb5f4f89d78165d8621986c563ea0fad.exe
Resource
win10v2004-20240802-en
General
-
Target
fca06d8a111b6799913d2487f47cbf45cb5f4f89d78165d8621986c563ea0fad.exe
-
Size
282KB
-
MD5
52d0c236a13464ea6f28e0bf9989a159
-
SHA1
8c3d0ce7e30c8f85521e2ede54150ff06e3e84ae
-
SHA256
fca06d8a111b6799913d2487f47cbf45cb5f4f89d78165d8621986c563ea0fad
-
SHA512
3a395f6e738b1fa7348db8e4d375adf242454602f59250fda3f19440647561283f97ece1d9b6cb38398f9b184e7700cb8ef19d7ea39ac2f75f4ad474a132cbc5
-
SSDEEP
6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fKkf1Q:boSeGUA5YZazpXUmZhZ6S3
Malware Config
Extracted
nanocore
1.2.2.0
sysupdate24.ddns.net:45400
ae82ab7f-db07-49ee-9d2b-76075d76f37f
-
activate_away_mode
true
- backup_connection_host
- backup_dns_server
-
buffer_size
65535
-
build_time
2020-04-24T17:41:53.492468936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
45400
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
ae82ab7f-db07-49ee-9d2b-76075d76f37f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
sysupdate24.ddns.net
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2712 a1punf5t2of.exe 3012 a1punf5t2of.exe -
Loads dropped DLL 2 IoCs
pid Process 2228 fca06d8a111b6799913d2487f47cbf45cb5f4f89d78165d8621986c563ea0fad.exe 2712 a1punf5t2of.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe" fca06d8a111b6799913d2487f47cbf45cb5f4f89d78165d8621986c563ea0fad.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a1punf5t2of.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2712 set thread context of 3012 2712 a1punf5t2of.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1punf5t2of.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1punf5t2of.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fca06d8a111b6799913d2487f47cbf45cb5f4f89d78165d8621986c563ea0fad.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3012 a1punf5t2of.exe 3012 a1punf5t2of.exe 3012 a1punf5t2of.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3012 a1punf5t2of.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3012 a1punf5t2of.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2228 wrote to memory of 2712 2228 fca06d8a111b6799913d2487f47cbf45cb5f4f89d78165d8621986c563ea0fad.exe 30 PID 2228 wrote to memory of 2712 2228 fca06d8a111b6799913d2487f47cbf45cb5f4f89d78165d8621986c563ea0fad.exe 30 PID 2228 wrote to memory of 2712 2228 fca06d8a111b6799913d2487f47cbf45cb5f4f89d78165d8621986c563ea0fad.exe 30 PID 2228 wrote to memory of 2712 2228 fca06d8a111b6799913d2487f47cbf45cb5f4f89d78165d8621986c563ea0fad.exe 30 PID 2228 wrote to memory of 2712 2228 fca06d8a111b6799913d2487f47cbf45cb5f4f89d78165d8621986c563ea0fad.exe 30 PID 2228 wrote to memory of 2712 2228 fca06d8a111b6799913d2487f47cbf45cb5f4f89d78165d8621986c563ea0fad.exe 30 PID 2228 wrote to memory of 2712 2228 fca06d8a111b6799913d2487f47cbf45cb5f4f89d78165d8621986c563ea0fad.exe 30 PID 2712 wrote to memory of 3012 2712 a1punf5t2of.exe 31 PID 2712 wrote to memory of 3012 2712 a1punf5t2of.exe 31 PID 2712 wrote to memory of 3012 2712 a1punf5t2of.exe 31 PID 2712 wrote to memory of 3012 2712 a1punf5t2of.exe 31 PID 2712 wrote to memory of 3012 2712 a1punf5t2of.exe 31 PID 2712 wrote to memory of 3012 2712 a1punf5t2of.exe 31 PID 2712 wrote to memory of 3012 2712 a1punf5t2of.exe 31 PID 2712 wrote to memory of 3012 2712 a1punf5t2of.exe 31 PID 2712 wrote to memory of 3012 2712 a1punf5t2of.exe 31 PID 2712 wrote to memory of 3012 2712 a1punf5t2of.exe 31 PID 2712 wrote to memory of 3012 2712 a1punf5t2of.exe 31 PID 2712 wrote to memory of 3012 2712 a1punf5t2of.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\fca06d8a111b6799913d2487f47cbf45cb5f4f89d78165d8621986c563ea0fad.exe"C:\Users\Admin\AppData\Local\Temp\fca06d8a111b6799913d2487f47cbf45cb5f4f89d78165d8621986c563ea0fad.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
282KB
MD53b78529d4fce1ff8acb002c1a18fcda4
SHA19044c7e2aee4f5b70a387389b4a7cad983d6b385
SHA25655667f6ea0e0ec002ded4ba9e2b3c85dd75629c65656bc38d4f36224cfccdf2d
SHA512da4e39db6410636eef9ca083f4c3be5a753e562b82d629fcaac4d9133b2bed7b3ff919f0e41f6751d817cf67a2d4b75d49136835d801c3fd57b58437ea4edcb0