Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30/09/2024, 02:50
Static task
static1
Behavioral task
behavioral1
Sample
cf1e0e2019d7b2a1535c3ac8e6de29fcea80e690116d0f6f2ac50205277086fe.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
cf1e0e2019d7b2a1535c3ac8e6de29fcea80e690116d0f6f2ac50205277086fe.exe
Resource
win10v2004-20240802-en
General
-
Target
cf1e0e2019d7b2a1535c3ac8e6de29fcea80e690116d0f6f2ac50205277086fe.exe
-
Size
272KB
-
MD5
fcddcc6103abdc8512e6aef6a41944a0
-
SHA1
102acf317f50f0d45dc93f804e20ec8c7ab3a151
-
SHA256
cf1e0e2019d7b2a1535c3ac8e6de29fcea80e690116d0f6f2ac50205277086fe
-
SHA512
709786c78d44ea9e71d93beb8c09ca3d6225eac03434d5642bb42864f1d366056429806b6aae5f65e4766710cfaed5dafdfa8ee9fe2ed487738db44d7fc55e1c
-
SSDEEP
6144:ijOZOz0jOZ+ghfu3WujOZsfRYDjbvKT8N5XaMLPOgRv+qR:ijOZOz0jOZ+g1umujOZsCq8NNPl9+q
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation cf1e0e2019d7b2a1535c3ac8e6de29fcea80e690116d0f6f2ac50205277086fe.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation server.exe -
Executes dropped EXE 4 IoCs
pid Process 2988 Install Lightroom 2.4.exe 4120 server.exe 2040 Install Lightroom 2.4.exe 4600 server.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2988 set thread context of 2040 2988 Install Lightroom 2.4.exe 87 PID 4120 set thread context of 4600 4120 server.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cf1e0e2019d7b2a1535c3ac8e6de29fcea80e690116d0f6f2ac50205277086fe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Install Lightroom 2.4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1288 timeout.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1612 wrote to memory of 2988 1612 cf1e0e2019d7b2a1535c3ac8e6de29fcea80e690116d0f6f2ac50205277086fe.exe 85 PID 1612 wrote to memory of 2988 1612 cf1e0e2019d7b2a1535c3ac8e6de29fcea80e690116d0f6f2ac50205277086fe.exe 85 PID 1612 wrote to memory of 2988 1612 cf1e0e2019d7b2a1535c3ac8e6de29fcea80e690116d0f6f2ac50205277086fe.exe 85 PID 1612 wrote to memory of 4120 1612 cf1e0e2019d7b2a1535c3ac8e6de29fcea80e690116d0f6f2ac50205277086fe.exe 86 PID 1612 wrote to memory of 4120 1612 cf1e0e2019d7b2a1535c3ac8e6de29fcea80e690116d0f6f2ac50205277086fe.exe 86 PID 1612 wrote to memory of 4120 1612 cf1e0e2019d7b2a1535c3ac8e6de29fcea80e690116d0f6f2ac50205277086fe.exe 86 PID 2988 wrote to memory of 2040 2988 Install Lightroom 2.4.exe 87 PID 2988 wrote to memory of 2040 2988 Install Lightroom 2.4.exe 87 PID 2988 wrote to memory of 2040 2988 Install Lightroom 2.4.exe 87 PID 2988 wrote to memory of 2040 2988 Install Lightroom 2.4.exe 87 PID 2988 wrote to memory of 2040 2988 Install Lightroom 2.4.exe 87 PID 4120 wrote to memory of 4600 4120 server.exe 88 PID 4120 wrote to memory of 4600 4120 server.exe 88 PID 4120 wrote to memory of 4600 4120 server.exe 88 PID 4120 wrote to memory of 4600 4120 server.exe 88 PID 4120 wrote to memory of 4600 4120 server.exe 88 PID 4600 wrote to memory of 4060 4600 server.exe 96 PID 4600 wrote to memory of 4060 4600 server.exe 96 PID 4600 wrote to memory of 4060 4600 server.exe 96 PID 4060 wrote to memory of 1288 4060 cmd.exe 98 PID 4060 wrote to memory of 1288 4060 cmd.exe 98 PID 4060 wrote to memory of 1288 4060 cmd.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf1e0e2019d7b2a1535c3ac8e6de29fcea80e690116d0f6f2ac50205277086fe.exe"C:\Users\Admin\AppData\Local\Temp\cf1e0e2019d7b2a1535c3ac8e6de29fcea80e690116d0f6f2ac50205277086fe.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\Install Lightroom 2.4.exe"C:\Users\Admin\AppData\Local\Temp\Install Lightroom 2.4.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\Install Lightroom 2.4.exe"C:\Users\Admin\AppData\Local\Temp\Install Lightroom 2.4.exe"3⤵
- Executes dropped EXE
PID:2040
-
-
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\server.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\timeout.exetimeout 55⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1288
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
98KB
MD5a60ca61e6d68432e67df805e3993acab
SHA19329198e5fac53f8c23af8c740d02fb3be1c8c89
SHA2568f260601b2f89584dd665f91ac3222dd99fa9ce7d7ba912288a5a96f6474193e
SHA512095e3e3153224508172d87a32d7e8b679a04abbbfd6c5f3244989d484a786e22f502440707a928d26816fd2ec616ac669ea5e0ec0416aefe36c9ea23fe5db87a
-
Filesize
138KB
MD549b46e6f0e2d9aea8dd2ad7d635fbb1d
SHA17820e7d24e0f51f3b0bcf67a1d2a7cbfd81d9e9e
SHA2566777656fef03083dad8c649997df0db87bd0f4250a144edb28c5938e474b5c9b
SHA512c4a9ff64b6e20bee7b3fe8bb6bb05ea8cd90147d45f04d486ddf27d6f1176d5f0b45799c37212bd3d14589867ed25639e0e84d33734e819c722b47e8552033d9