Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 02:05
Static task
static1
Behavioral task
behavioral1
Sample
a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe
Resource
win10v2004-20241007-en
General
-
Target
a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe
-
Size
1.2MB
-
MD5
2b2832a4e1bf4e26e59980f4162334e2
-
SHA1
a9ae9ed9b7804a21fc0cf1e6b0d7d2e9f18b8336
-
SHA256
a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257
-
SHA512
26fc4677d42d3c0dae70a0f5c8c8e0987bac137d94d6973883de48c3de028424e77c2227d14b4d59b9eafe097a5e3dde29d275fbe1de3ce7fe880d4496228f01
-
SSDEEP
24576:uRmJkcoQricOIQxiZY1iaCznZeX4CCmLFtyfHIHjw3Oz/ijaX:7JZoQrbTFZY1iaCznMCiFtygHcOTN
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\incalculability.vbs incalculability.exe -
Executes dropped EXE 1 IoCs
pid Process 3724 incalculability.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000b000000023bc8-5.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1352 3724 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language incalculability.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 3464 a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe 3464 a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe 3464 a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe 3724 incalculability.exe 3724 incalculability.exe 3724 incalculability.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 3464 a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe 3464 a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe 3464 a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe 3724 incalculability.exe 3724 incalculability.exe 3724 incalculability.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3464 wrote to memory of 3724 3464 a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe 86 PID 3464 wrote to memory of 3724 3464 a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe 86 PID 3464 wrote to memory of 3724 3464 a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe 86 PID 3724 wrote to memory of 3120 3724 incalculability.exe 87 PID 3724 wrote to memory of 3120 3724 incalculability.exe 87 PID 3724 wrote to memory of 3120 3724 incalculability.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe"C:\Users\Admin\AppData\Local\Temp\a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Users\Admin\AppData\Local\inhumate\incalculability.exe"C:\Users\Admin\AppData\Local\Temp\a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe"2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe"3⤵PID:3120
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 7283⤵
- Program crash
PID:1352
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3724 -ip 37241⤵PID:736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD52b2832a4e1bf4e26e59980f4162334e2
SHA1a9ae9ed9b7804a21fc0cf1e6b0d7d2e9f18b8336
SHA256a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257
SHA51226fc4677d42d3c0dae70a0f5c8c8e0987bac137d94d6973883de48c3de028424e77c2227d14b4d59b9eafe097a5e3dde29d275fbe1de3ce7fe880d4496228f01