Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30/09/2024, 20:11
Static task
static1
Behavioral task
behavioral1
Sample
173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe
Resource
win10v2004-20240802-en
General
-
Target
173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe
-
Size
1.4MB
-
MD5
2ed5a214f96d2c1cab7979e824e77d60
-
SHA1
cf8af03123ccb03578f8824526c9fc15f185b25d
-
SHA256
173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1
-
SHA512
010c391bace723f10248c19c84942277b953aede6192584da14b95ac2e0c54d7545fc91b739e06617ad638259ff3720ba2140f3a6a9294e736c625d64475cb76
-
SSDEEP
24576:L8dvIOVmW6AbPsArkueRKmV3sNlHXdmMovDevm:LowONbkBuyKmBs7YjS+
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation 173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe -
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe 173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app_signed.exe 173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app_signed.exe 173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe 173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe -
Executes dropped EXE 2 IoCs
pid Process 1464 app.exe 2120 app.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\app.exe" 173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1464 set thread context of 2120 1464 app.exe 95 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language app.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language app.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
pid Process 868 173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe 868 173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe 868 173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe 868 173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe 868 173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe 868 173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe 1464 app.exe 1464 app.exe 1464 app.exe 1464 app.exe 1464 app.exe 1464 app.exe 1464 app.exe 1464 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe 2120 app.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 868 173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe Token: SeDebugPrivilege 1464 app.exe Token: SeDebugPrivilege 2120 app.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2120 app.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 868 wrote to memory of 1464 868 173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe 94 PID 868 wrote to memory of 1464 868 173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe 94 PID 868 wrote to memory of 1464 868 173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe 94 PID 1464 wrote to memory of 2120 1464 app.exe 95 PID 1464 wrote to memory of 2120 1464 app.exe 95 PID 1464 wrote to memory of 2120 1464 app.exe 95 PID 1464 wrote to memory of 2120 1464 app.exe 95 PID 1464 wrote to memory of 2120 1464 app.exe 95 PID 1464 wrote to memory of 2120 1464 app.exe 95 PID 1464 wrote to memory of 2120 1464 app.exe 95 PID 1464 wrote to memory of 2120 1464 app.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe"C:\Users\Admin\AppData\Local\Temp\173f9f23f6261a8b7a243e60f1375e79396ec5b3eab5330173088d5a5bb4b0c1N.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2120
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5287986e83856261ab22324fb0b62858e
SHA1eaf767a68d15721b2c83f14e5a15a6bf1576b249
SHA2563d5e5d8a96676f30c050ac6dafcefbee189ac82317f4c31aa0788408b85e2880
SHA512787c9894dab46ca9a850bcc1b8015f3d56a9642ab9d07b632d4b58248b66cb370fad8d8043a3fb1f7f9bfbe0a88db6012c56a478dc1097e658acee887d5c3f90