Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 07:19
Static task
static1
Behavioral task
behavioral1
Sample
6b4e2ef980016c3136a64aa9a32d9e5805c48f20e3c91f5fa85a283de9726087N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6b4e2ef980016c3136a64aa9a32d9e5805c48f20e3c91f5fa85a283de9726087N.exe
Resource
win10v2004-20241007-en
General
-
Target
6b4e2ef980016c3136a64aa9a32d9e5805c48f20e3c91f5fa85a283de9726087N.exe
-
Size
78KB
-
MD5
a76234d3445d925d6ae88cb977c99200
-
SHA1
d301938d7c541e889ce36940a16736448933c152
-
SHA256
6b4e2ef980016c3136a64aa9a32d9e5805c48f20e3c91f5fa85a283de9726087
-
SHA512
d45722c4874d07bc38e536c0c97c5c5db78343c5867bbed892adc0aabf632242946121dfe037ea4900b2464839e7e9003a806fa4daf14de221242d38682604d2
-
SSDEEP
1536:lsHFo6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtkb9/51nh0:lsHFoI3DJywQjDgTLopLwdCFJzkb9/S
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 6b4e2ef980016c3136a64aa9a32d9e5805c48f20e3c91f5fa85a283de9726087N.exe -
Deletes itself 1 IoCs
pid Process 2628 tmp929B.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2628 tmp929B.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6b4e2ef980016c3136a64aa9a32d9e5805c48f20e3c91f5fa85a283de9726087N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp929B.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4588 6b4e2ef980016c3136a64aa9a32d9e5805c48f20e3c91f5fa85a283de9726087N.exe Token: SeDebugPrivilege 2628 tmp929B.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4588 wrote to memory of 3624 4588 6b4e2ef980016c3136a64aa9a32d9e5805c48f20e3c91f5fa85a283de9726087N.exe 85 PID 4588 wrote to memory of 3624 4588 6b4e2ef980016c3136a64aa9a32d9e5805c48f20e3c91f5fa85a283de9726087N.exe 85 PID 4588 wrote to memory of 3624 4588 6b4e2ef980016c3136a64aa9a32d9e5805c48f20e3c91f5fa85a283de9726087N.exe 85 PID 3624 wrote to memory of 2332 3624 vbc.exe 88 PID 3624 wrote to memory of 2332 3624 vbc.exe 88 PID 3624 wrote to memory of 2332 3624 vbc.exe 88 PID 4588 wrote to memory of 2628 4588 6b4e2ef980016c3136a64aa9a32d9e5805c48f20e3c91f5fa85a283de9726087N.exe 89 PID 4588 wrote to memory of 2628 4588 6b4e2ef980016c3136a64aa9a32d9e5805c48f20e3c91f5fa85a283de9726087N.exe 89 PID 4588 wrote to memory of 2628 4588 6b4e2ef980016c3136a64aa9a32d9e5805c48f20e3c91f5fa85a283de9726087N.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b4e2ef980016c3136a64aa9a32d9e5805c48f20e3c91f5fa85a283de9726087N.exe"C:\Users\Admin\AppData\Local\Temp\6b4e2ef980016c3136a64aa9a32d9e5805c48f20e3c91f5fa85a283de9726087N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\enm-f1gn.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9422.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc70B96D0A897E4B3D8979CA9E8CC5E65.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2332
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp929B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp929B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6b4e2ef980016c3136a64aa9a32d9e5805c48f20e3c91f5fa85a283de9726087N.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b7b8de8c341098f0d0b2ce0dda622a70
SHA142d3b9a96f408b0506ef394a88cffefb995f23b9
SHA2567591eb05a5e98724f735edae51095859a5f7cc3602fd615edc1af1b085e48cc1
SHA51211e3b2c9eec1b90d400cede79e5f6e59d7d9ba26d9944db51cfb25667b477948e065f3c6ddfe41613f100403bd77de733e35610aad67326ed90329bee2b8697e
-
Filesize
15KB
MD5f5de2b30f6e6233be1a05b7414ed0788
SHA11db3c3479de049d28a3c89b02b242d94bb909033
SHA256be0e330bc0cdb7f94bc863e095d017f5c86317ece4e492bb4dd66195c956931f
SHA512d8f43ac8530cdb50bf18a82ceca4b2e2eb57e4b79ced6d817cf228f9a9c1c7a329c83b501eac0fdbf32de688691f39995433f4b9a4b53f526b080e15ca8f8e35
-
Filesize
266B
MD5663d439b5056c996a9d1301991b510f0
SHA105dc66d9bf67831e0ddb030964941d8ab06d456a
SHA25616a4a7c08d131346d0461cd270327ea1eead16fb859e06e01c2a10c8003b6441
SHA512bfb8ccb1aecdda672ac702e7e41e4228e9e24e4408102a07540c9eee3348bdd7ed8059025b016c132516517418a148d034784adba4f091f6d5c9d7d240ee30be
-
Filesize
78KB
MD59e90658bb7bbec8d8d2937ff572daf66
SHA1ce1ecd8a83284ea1f17e7b9a9dad530cd2d3dd25
SHA2564da259def949e7d2d9464b11ad6ea7a53b59832ccf82a2e9c1baf4ec7d66c448
SHA512c15ca15d22f592ee00c11047c7c52ab229ba65822c246b07f6ad06ed659c60b03af9da581c7d5afdba0be1ab3cd6fa456b5b586255e13ce9d8e43fb998988a68
-
Filesize
660B
MD5878262f37b61a216f5f3863ac44c2bb6
SHA129e62da8f5236161ecad37b7d9068c036e5ca772
SHA2561c19e22d6aa779fcd1af4f4e0c63859651bb84484b5e493213d88df7c39089c5
SHA512128ad1fefd65cb7787334f33ba722fb081989703bed07713295f5bb86742c792daeb7d982bbc8ef31c1514c8eeac39265360255774d5c648f8a8d875bd5165ed
-
Filesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7