Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/10/2024, 05:40

General

  • Target

    65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe

  • Size

    90KB

  • MD5

    da85e435f12df2ed8021698ce78f9b70

  • SHA1

    bba8120a2607f644c60dbc6cf4163b42f725c238

  • SHA256

    65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840

  • SHA512

    c6b13c7281acf4c9bc2faec07a88dfc23830a63b35779a85dc43c5a5d3e0ffc1c4b59e3f663eb8bf8122fb1d1189f1cc42536c6a99a5d69c0ab54b91aa9c5dfc

  • SSDEEP

    1536:r1Sbpfv5DOWknf7LAQkhB5EQr5PqNzH3EEIMrAgx29E9zt7Hp4h+DGm3/7qq:IbpfhDOW7hBhr4pX5r9x29E9z5HpZDGu

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe
    "C:\Users\Admin\AppData\Local\Temp\65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1300
    • C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe
      \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3520
      • C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE
        \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:348
    • C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE
      \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4752
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v COM_LOADER /d "\\.\F:\Program Files\PDF_Reader\bin\COM7.EXE"
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:4080
      • C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe
        \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE

    Filesize

    90KB

    MD5

    f295f99ebe142d005da2588fb5f3ceeb

    SHA1

    847ca4348ded4d3be67cb568cc892594056505ec

    SHA256

    573050cea6ebee7f36f914453cba74c5e3a538b4f668af096f41164e0f8d1097

    SHA512

    44524f020e843fcc5ee532884f325efb11970d75e0efe28c58a5d224157c1f7304bbc9ca8f9b1387bf75d4604ac7baab15db1202eab28a986abcedb4438fb580

  • C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe

    Filesize

    91KB

    MD5

    41527e62bfc453267e985d68289a2155

    SHA1

    b789303f2e939e40b35a67825939333cd1dec504

    SHA256

    078d0c82002bfbe74c8fc920fb34d0ce8785579f3a58660afa6235110bee9407

    SHA512

    8e8e06a2f7b92da11d4580e07483371bc79fb1ecfdc58579aff0b79b57042bb9951e4992553d4c19b7875eac92108e0f1b91e091739d4f9fce70701fc2947d20

  • memory/348-26-0x0000000000400000-0x0000000000549000-memory.dmp

    Filesize

    1.3MB

  • memory/948-23-0x0000000000400000-0x0000000000549000-memory.dmp

    Filesize

    1.3MB

  • memory/1300-12-0x0000000000400000-0x0000000000549000-memory.dmp

    Filesize

    1.3MB

  • memory/3520-16-0x0000000000400000-0x0000000000549000-memory.dmp

    Filesize

    1.3MB

  • memory/3520-30-0x0000000000400000-0x0000000000549000-memory.dmp

    Filesize

    1.3MB

  • memory/3520-38-0x0000000000400000-0x0000000000549000-memory.dmp

    Filesize

    1.3MB

  • memory/4752-17-0x0000000000400000-0x0000000000549000-memory.dmp

    Filesize

    1.3MB