Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30/09/2024, 16:23
Static task
static1
Behavioral task
behavioral1
Sample
5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe
Resource
win7-20240708-en
General
-
Target
5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe
-
Size
329KB
-
MD5
373823c3f20c185c50bc7abd35345bd0
-
SHA1
b9bf4195521f9cd012af3773bf5cdb9ac98fac75
-
SHA256
5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7
-
SHA512
746b6e9266a4f7b8c2ff08ccb71a9a3ec65de365a91c07d49b6f14db1ac40acd8886624d42239bb21b077939d51442c4c7a374a64cced51db6c9cb268c7480c8
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVP:vHW138/iXWlK885rKlGSekcj66ciEP
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation 5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation coryz.exe -
Executes dropped EXE 2 IoCs
pid Process 3924 coryz.exe 3700 qazym.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language coryz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qazym.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe 3700 qazym.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3828 wrote to memory of 3924 3828 5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe 82 PID 3828 wrote to memory of 3924 3828 5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe 82 PID 3828 wrote to memory of 3924 3828 5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe 82 PID 3828 wrote to memory of 4912 3828 5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe 83 PID 3828 wrote to memory of 4912 3828 5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe 83 PID 3828 wrote to memory of 4912 3828 5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe 83 PID 3924 wrote to memory of 3700 3924 coryz.exe 94 PID 3924 wrote to memory of 3700 3924 coryz.exe 94 PID 3924 wrote to memory of 3700 3924 coryz.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe"C:\Users\Admin\AppData\Local\Temp\5ed43cd86aad524ffb309138cae777545dcba1968818fd40ce8a044259638ea7N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Users\Admin\AppData\Local\Temp\coryz.exe"C:\Users\Admin\AppData\Local\Temp\coryz.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Users\Admin\AppData\Local\Temp\qazym.exe"C:\Users\Admin\AppData\Local\Temp\qazym.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3700
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:4912
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD516345585560837b3f96911125dc68a5a
SHA1c4168f87ff5f1acd63b1feace8736cd358a838c0
SHA2568b2a808965b4f50f7a138e9cf41c4ae5fbeb7d2a704c312bc2fec6ffa8fafbe7
SHA51267fb0fd89fd02afd31137ebe98642b3bd5d04ede03427b3f374f2b7bd63c580c4b2dc78eebaccbd3ff3eac934be9d19b5cb00b4cd526a82ee97b884215c12118
-
Filesize
329KB
MD5283c5de8d95f6654b1aad099d093c0e5
SHA103d7d6cb74c1a0ee6d6ee2c8fb60331a2cfd891a
SHA256a0ad794f0121b7b13beead23d1028c9a3a4810fc781508555563c2703493f1b3
SHA51263763470274e57f616c1c073509470f3498970d65c2de15d72918aa3143d60aac33f8758c95a549367915b96706984e40c77d6f76ebc6a966bc5eb7e3750075e
-
Filesize
512B
MD5476d30f250c04b55039901961b5cd1f8
SHA151a92009991f801f9f040d13508eb2080c9a96ab
SHA256d289b9f1199a9bacf3e31d0192eaf6e69b9a7d0b0810173e73ef1e3033bf005f
SHA5124cfe8bd98f7fc1ce8bef199a390f880f2b53f7ef6acbbe14499ead6ac33ee592e36a00872797c888865c27b30e445ccbce969c8110a8110637a2143ef60763fb
-
Filesize
172KB
MD50addb9474b95a09f9ac2c868ac87ad97
SHA12d78403a2f96d8a6c6940d66422551dad8064746
SHA2560e6c8ce4b7d1dab923c7b157b85f57ffb4b5c026d4808dff1c648defdfef0bf5
SHA5125b949b175dc88bd5e80332b5a68080554dc84dc381e85fe802e9bf1c8659c80e3851e7f9cdc854f3cec672d4058394c44df48d0313b991a4bf7b695c30e023d8