Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
30/09/2024, 01:53
General
-
Target
b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe
-
Size
2.5MB
-
MD5
dea2b172855474242e3607e18f7eb659
-
SHA1
ce440d756e0bfe5593462d1a4b0c9f818d1f3623
-
SHA256
b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4
-
SHA512
42652c9dce689f9e2227651583cedb49dbe67c2c6845703ed35e1e8e502999ff7f1ff959ab7ef6b9ea0a8152a4539ae6b848e8aef4a88e6a9dca0d9c4f3b7e81
-
SSDEEP
49152:V6i0cnlHeRrlG4g5ec8IBvKvYJC623msvD/DX+y4onCYDj:kPclHeRrlG4g5ea1g62WsvD/D+donCYn
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe"C:\Users\Admin\AppData\Local\Temp\b9ec677efc791e6c4b84b1b5add11bff1a02f7979a644d8b5f066f3758acd2c4.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD51a5f24c3ab345d5ed5f68409f442f205
SHA148c1eb761f9a8d66a341d871b4ff0b95b2109bfd
SHA2565e958c2dbfbc49efa38eca532828b116577a152823439fa6ce064b2263e09a1c
SHA5123f57ec3b0a3ec71cdf6c416c11ee1d6cd6ea8388030611027a6b02d93106b7f3b0fc478fa4fe5a0d86a58c3a2e8f4c28f039b3345eaf429e98ade9d657ee56bc
-
Filesize
92B
MD516ae5830b2877dac7247f8c4154c9efd
SHA1fe650b531d9eb8dd0d9d21b8b8c06f1246d397c6
SHA256a85dd932dfa73597b1281b8ce99b149e1d92577a0daf3e2318b38d1df212e52b
SHA51284da7c8064c911494893265cc9c4d44fb220711c7bce3f302707a3db3b0c05c2e72580482833221f8f3c5225c6e0ce523a50b883cac6c83b59d80d8388874d85
-
Filesize
753B
MD5ecc55219ef70298445bf9db69d87ad4d
SHA1698f44c00e2591b996d18e124d35fe9f76492ae2
SHA256307b4f33efbc06b1f80dfedf6296c53171ee5e4b8e11744623b0bff364bb9049
SHA512ca519539166b0aab62a1e9d8866af0d696b655fd57cc682d91ebdb7fc0f48f991cc2ddc4cee33d1cc7ea9c5c05b55f196d77cdf9c76724fa480d16a56d0dd590
-
Filesize
2.5MB
MD5cbbde9443e09b0eb5e19b2e7f70b0be2
SHA1c72c58798b8e5d3752c54fa60ae78a1657918100
SHA25668aad98c19c886dd846829ac3f59b2c460ac5a9f9b4bc0f27c0c5a2091839390
SHA512992dff3ef5499b93acda7cfcbcb2041908d8002598034ab50b91c39a769f70f59ef3a548802bf6f7635a55eb8e3c9eac764abe389a8e4cd4d2e3a8d55da4a1b0
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB