Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
33s -
max time network
35s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/10/2024, 07:18
Static task
static1
General
-
Target
Installer/Installer.exe
-
Size
3.7MB
-
MD5
640236b179a4c7c40776a6a252f95b1a
-
SHA1
f9b1ded41de3df7d7b736d15b6944f37c432549e
-
SHA256
a0f93aca0dc6a1122b85893383c6ab1ee25a6f2c2a0d86cb419cc2c68e27243b
-
SHA512
b5e7e05bc68ecba0917db7e28583dc5486e3cec9909bfc1be51fad3c38f7b9b82bf56389512313154b0dd02d7a7fe2c4cd1984a219eecd7e6f3aec9c3618ec5d
-
SSDEEP
49152:8cnd825pb/8zDoGH2VdjrTURpKes/43A2mVn33usLMS:8X2H7ERCjrTgpKes43A2mR33/gS
Malware Config
Extracted
lumma
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2096 rundll32.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2096 set thread context of 2796 2096 rundll32.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_regiis.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1616 wrote to memory of 4628 1616 Installer.exe 83 PID 1616 wrote to memory of 4628 1616 Installer.exe 83 PID 1616 wrote to memory of 4628 1616 Installer.exe 83 PID 4628 wrote to memory of 2096 4628 cmd.exe 84 PID 4628 wrote to memory of 2096 4628 cmd.exe 84 PID 4628 wrote to memory of 2096 4628 cmd.exe 84 PID 2096 wrote to memory of 2796 2096 rundll32.exe 85 PID 2096 wrote to memory of 2796 2096 rundll32.exe 85 PID 2096 wrote to memory of 2796 2096 rundll32.exe 85 PID 2096 wrote to memory of 2796 2096 rundll32.exe 85 PID 2096 wrote to memory of 2796 2096 rundll32.exe 85 PID 2096 wrote to memory of 2796 2096 rundll32.exe 85 PID 2096 wrote to memory of 2796 2096 rundll32.exe 85 PID 2096 wrote to memory of 2796 2096 rundll32.exe 85 PID 2096 wrote to memory of 2796 2096 rundll32.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe"C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Roaming\msvcp110.dll,GetGameData2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Roaming\msvcp110.dll,GetGameData3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2796
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
572KB
MD566415b5c83f033ece5b0c2998a85955c
SHA12f97a1aaec83f6184be73eda0c7c8ee9ecdbb5d4
SHA256659dbed3d2527701515c0f22d95bda9e0bec1353bf1e9ae34858a8f00b84e4b2
SHA51226196286e3e74263988b66790baaad4bda0e505316a930400cc8c522865f1af9e49e1042011dff18783dacad42ade6377c7f9866367a89aa9ddbab463e3cda85