Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/10/2024, 05:40
Static task
static1
Behavioral task
behavioral1
Sample
65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe
Resource
win10v2004-20240802-en
General
-
Target
65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe
-
Size
90KB
-
MD5
da85e435f12df2ed8021698ce78f9b70
-
SHA1
bba8120a2607f644c60dbc6cf4163b42f725c238
-
SHA256
65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840
-
SHA512
c6b13c7281acf4c9bc2faec07a88dfc23830a63b35779a85dc43c5a5d3e0ffc1c4b59e3f663eb8bf8122fb1d1189f1cc42536c6a99a5d69c0ab54b91aa9c5dfc
-
SSDEEP
1536:r1Sbpfv5DOWknf7LAQkhB5EQr5PqNzH3EEIMrAgx29E9zt7Hp4h+DGm3/7qq:IbpfhDOW7hBhr4pX5r9x29E9z5HpZDGu
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation COM7.EXE -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PDF Reader Launcher.exe COM7.EXE -
Executes dropped EXE 4 IoCs
pid Process 3520 ashcv.exe 4752 COM7.EXE 948 ashcv.exe 348 COM7.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\COM_LOADER = "\\\\.\\F:\\Program Files\\PDF_Reader\\bin\\COM7.EXE" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language COM7.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ashcv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language COM7.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ashcv.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4080 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 3520 ashcv.exe 3520 ashcv.exe 4752 COM7.EXE 4752 COM7.EXE 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 948 ashcv.exe 948 ashcv.exe 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 348 COM7.EXE 348 COM7.EXE 4752 COM7.EXE 4752 COM7.EXE 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 4752 COM7.EXE 4752 COM7.EXE 4752 COM7.EXE 4752 COM7.EXE 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 4752 COM7.EXE 4752 COM7.EXE 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 4752 COM7.EXE 4752 COM7.EXE 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 4752 COM7.EXE 4752 COM7.EXE 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 4752 COM7.EXE 4752 COM7.EXE 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 4752 COM7.EXE 4752 COM7.EXE 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 4752 COM7.EXE 4752 COM7.EXE 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 4752 COM7.EXE 4752 COM7.EXE 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 4752 COM7.EXE 4752 COM7.EXE 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3520 ashcv.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1300 wrote to memory of 3520 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 82 PID 1300 wrote to memory of 3520 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 82 PID 1300 wrote to memory of 3520 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 82 PID 1300 wrote to memory of 4752 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 83 PID 1300 wrote to memory of 4752 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 83 PID 1300 wrote to memory of 4752 1300 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 83 PID 4752 wrote to memory of 4080 4752 COM7.EXE 84 PID 4752 wrote to memory of 4080 4752 COM7.EXE 84 PID 4752 wrote to memory of 4080 4752 COM7.EXE 84 PID 4752 wrote to memory of 948 4752 COM7.EXE 86 PID 4752 wrote to memory of 948 4752 COM7.EXE 86 PID 4752 wrote to memory of 948 4752 COM7.EXE 86 PID 3520 wrote to memory of 348 3520 ashcv.exe 87 PID 3520 wrote to memory of 348 3520 ashcv.exe 87 PID 3520 wrote to memory of 348 3520 ashcv.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe"C:\Users\Admin\AppData\Local\Temp\65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:348
-
-
-
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v COM_LOADER /d "\\.\F:\Program Files\PDF_Reader\bin\COM7.EXE"3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4080
-
-
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:948
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD5f295f99ebe142d005da2588fb5f3ceeb
SHA1847ca4348ded4d3be67cb568cc892594056505ec
SHA256573050cea6ebee7f36f914453cba74c5e3a538b4f668af096f41164e0f8d1097
SHA51244524f020e843fcc5ee532884f325efb11970d75e0efe28c58a5d224157c1f7304bbc9ca8f9b1387bf75d4604ac7baab15db1202eab28a986abcedb4438fb580
-
Filesize
91KB
MD541527e62bfc453267e985d68289a2155
SHA1b789303f2e939e40b35a67825939333cd1dec504
SHA256078d0c82002bfbe74c8fc920fb34d0ce8785579f3a58660afa6235110bee9407
SHA5128e8e06a2f7b92da11d4580e07483371bc79fb1ecfdc58579aff0b79b57042bb9951e4992553d4c19b7875eac92108e0f1b91e091739d4f9fce70701fc2947d20