Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04/10/2024, 10:16
Static task
static1
Behavioral task
behavioral1
Sample
b78ede01b581fa24b2c423069f3550beef40d441f8f3c0eae5d7880dbf0cc7d2N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b78ede01b581fa24b2c423069f3550beef40d441f8f3c0eae5d7880dbf0cc7d2N.exe
Resource
win10v2004-20240802-en
General
-
Target
b78ede01b581fa24b2c423069f3550beef40d441f8f3c0eae5d7880dbf0cc7d2N.exe
-
Size
6.4MB
-
MD5
156924e27f163099e490a991c5a54f70
-
SHA1
53b86ca2559673b41a9a976cc48d2477856c50f0
-
SHA256
b78ede01b581fa24b2c423069f3550beef40d441f8f3c0eae5d7880dbf0cc7d2
-
SHA512
fcd93d526514d948af758df62baf03519b8517080dd29e8937387aa0d16bf75516d91924931f15ce681f1aa19f00a76155ab880f167a525285be02e6f16488c9
-
SSDEEP
98304:emhd1UryeXTnztENJYasV7wQqZUha5jtSyZIUbt:el31wJYas2QbaZtli4
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4560 9E24.tmp -
Executes dropped EXE 1 IoCs
pid Process 4560 9E24.tmp -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b78ede01b581fa24b2c423069f3550beef40d441f8f3c0eae5d7880dbf0cc7d2N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9E24.tmp -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1872 wrote to memory of 4560 1872 b78ede01b581fa24b2c423069f3550beef40d441f8f3c0eae5d7880dbf0cc7d2N.exe 82 PID 1872 wrote to memory of 4560 1872 b78ede01b581fa24b2c423069f3550beef40d441f8f3c0eae5d7880dbf0cc7d2N.exe 82 PID 1872 wrote to memory of 4560 1872 b78ede01b581fa24b2c423069f3550beef40d441f8f3c0eae5d7880dbf0cc7d2N.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\b78ede01b581fa24b2c423069f3550beef40d441f8f3c0eae5d7880dbf0cc7d2N.exe"C:\Users\Admin\AppData\Local\Temp\b78ede01b581fa24b2c423069f3550beef40d441f8f3c0eae5d7880dbf0cc7d2N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Users\Admin\AppData\Local\Temp\9E24.tmp"C:\Users\Admin\AppData\Local\Temp\9E24.tmp" --splashC:\Users\Admin\AppData\Local\Temp\b78ede01b581fa24b2c423069f3550beef40d441f8f3c0eae5d7880dbf0cc7d2N.exe 415A31A973E12F395C67E45D212E91FB2B6ED43C99A60B2195BB1491065CD8DCDD93B99090819EB66C417B8B6A078E17301F82D5624286EA998A52137EED81F82⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4560
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.4MB
MD5e85201f9ed4d829d4ad537761e54ac28
SHA16abc7122307043123f8bec8f703de9aa8e8eff4c
SHA25656d35ebbd72f7f36975983f97ca175924b436a429635ecc9762af1fff7ac4656
SHA512fc4f20824127be241e2643630b7ea6a76b373cf3ca95b895d02131fa8dc4149fbcb96e57a4f2435d36ab92f3a19967a9652ba6d1a63e9858fc9a6f2680bd68dd