Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

6070b1db3a...aN.exe

windows7-x64

7

6070b1db3a...aN.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2024, 19:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6070b1db3acecc3ff0c6892c57fb2993dcce05353845140cf02abc4ba27bd22aN.exe

  • Size

    2.7MB

  • MD5

    1013696a7112cad9d1175f876cc51db0

  • SHA1

    c0ee1e1872ce56b8413e23d3c38633d33e04386f

  • SHA256

    6070b1db3acecc3ff0c6892c57fb2993dcce05353845140cf02abc4ba27bd22a

  • SHA512

    000a5b82add76991dd62a50c182ccbb60c028b92b05aaec5d1311db1f920a80574f243335c46580fab69df5a3d94028f19c0c5b0c32c8b6b7a8147c3b652d420

  • SSDEEP

    49152:9WyT+P66XbOP/ZzA2DItg1Hoaz6wecYfFkURwlhyAuLjf/IVgs5+xP:bTE66yXZ02DwUHoazRofxIhELjf/IVgs

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6070b1db3acecc3ff0c6892c57fb2993dcce05353845140cf02abc4ba27bd22aN.exe
    "C:\Users\Admin\AppData\Local\Temp\6070b1db3acecc3ff0c6892c57fb2993dcce05353845140cf02abc4ba27bd22aN.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3568
    • C:\Users\Admin\AppData\Local\Temp\Milzie Gretchen.exe
      "C:\Users\Admin\AppData\Local\Temp\Milzie Gretchen.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4864
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 1572
        3⤵
        • Program crash
        PID:1876
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\6070b1db3acecc3ff0c6892c57fb2993dcce05353845140cf02abc4ba27bd22aN.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:3388
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 3000
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:380
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4864 -ip 4864
    1⤵
      PID:2580

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Milzie Gretchen.exe
      Filesize

      2.7MB

      MD5

      aea8b9709a5ca92704a5977e98c2eeab

      SHA1

      d91a7c4c2226ed7b3f49ae6b77206c2d362994fc

      SHA256

      2a91cd73a6142b8540b1c47628a5cf7bc399be71ffec531bd5d8145b374afecd

      SHA512

      333877ca3dac59ed031123873ed8dff669103ce1f55c4ad36c191e70d89b304b3277862e4c345d9ee00276b6c44ee755960d7513df03527450d41e44e604b5e1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Milzie Gretchen.exe
      Filesize

      2.7MB

      MD5

      41147405490e3f8522fa69b0e934f2c1

      SHA1

      641a5c268ec1e8796599d7c3e7535ea6c7244249

      SHA256

      04650a54cd4db2511c54ebbca1173752c8ef0c8960de74a3c64d89a0563c2533

      SHA512

      6f743418a5d6b3a0258f1c1210cbcd0dabac20fe9c3802c240f0ac2ed5d6848db4d053d750cb8379fce99327bf881ef41349c44f6a91b38dc9f3f35e935bddde

      Download Submit

    • memory/3568-8-0x0000000074B00000-0x00000000752B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3568-9-0x0000000074B00000-0x00000000752B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3568-4-0x000000000B5A0000-0x000000000BB44000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3568-5-0x000000000B090000-0x000000000B122000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3568-6-0x000000000B590000-0x000000000B59A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3568-7-0x000000000E6A0000-0x000000000E706000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3568-0-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3568-3-0x0000000074B00000-0x00000000752B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3568-2-0x0000000007DD0000-0x0000000007FF4000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/3568-1-0x0000000000C90000-0x0000000000F52000-memory.dmp

      Filesize

      2.8MB

      Download

    • memory/3568-38-0x0000000074B00000-0x00000000752B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4864-39-0x0000000074B00000-0x00000000752B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4864-37-0x0000000000EC0000-0x0000000001182000-memory.dmp

      Filesize

      2.8MB

      Download

    • memory/4864-40-0x0000000074B00000-0x00000000752B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4864-41-0x0000000074B00000-0x00000000752B0000-memory.dmp

      Filesize

      7.7MB

      Download