Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/10/2024, 21:30
Static task
static1
Behavioral task
behavioral1
Sample
Launch.exe
Resource
win7-20240903-en
General
-
Target
Launch.exe
-
Size
342KB
-
MD5
c3579512b9277f8bf64af53227f0ff0f
-
SHA1
be71ec8d000831d5b87c51be81d90af55fcb8b0c
-
SHA256
4796c351a43e182f5a424a531dd2b07e262147d3d979ca0606cba611f0ab262f
-
SHA512
bbd34ddc24a5d735d12e3972a73267821b0ecdaffdaad21b89ef18d8c30315b8b2978315eec56f3a0ddbd884308c296f538e3e540280868b556ce8a4b63c6e9a
-
SSDEEP
6144:nrWu9SucKFiQObW6tg5ULzrh0GWtLg3F+S6Ua2gtI4BAlSiCApzPj2h5b+pB0P/p:nPcKWK9ULzrhMKza3a4DbAZub+pB0P/T
Malware Config
Extracted
lumma
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 5036 Launch.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5036 set thread context of 916 5036 Launch.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Launch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_regiis.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 5036 wrote to memory of 916 5036 Launch.exe 82 PID 5036 wrote to memory of 916 5036 Launch.exe 82 PID 5036 wrote to memory of 916 5036 Launch.exe 82 PID 5036 wrote to memory of 916 5036 Launch.exe 82 PID 5036 wrote to memory of 916 5036 Launch.exe 82 PID 5036 wrote to memory of 916 5036 Launch.exe 82 PID 5036 wrote to memory of 916 5036 Launch.exe 82 PID 5036 wrote to memory of 916 5036 Launch.exe 82 PID 5036 wrote to memory of 916 5036 Launch.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\Launch.exe"C:\Users\Admin\AppData\Local\Temp\Launch.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"2⤵
- System Location Discovery: System Language Discovery
PID:916
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
561KB
MD5a317e8041d6fb24650756004d6c70c6a
SHA11596d794053a23463915994bfecf41aeac966ea1
SHA256e81b38320476b4ee8d3a39d7d13d546fb7fa7689dd47778cdae12460330bd64e
SHA512a63a04fe48e1f02c2d55367cd98d912bd33ff25971ff1b3972baed76589eb5bfbca888e6dc01569bdc2b119a864350d376863c07d682e55145f17e24dadefd3a