Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/10/2024, 11:09
Static task
static1
Behavioral task
behavioral1
Sample
0e9f84297e2b0158c7b8ffe7df981ef68e152ff6f0b798b86589a9aa97c8fc77N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
0e9f84297e2b0158c7b8ffe7df981ef68e152ff6f0b798b86589a9aa97c8fc77N.exe
Resource
win10v2004-20241007-en
General
-
Target
0e9f84297e2b0158c7b8ffe7df981ef68e152ff6f0b798b86589a9aa97c8fc77N.exe
-
Size
96KB
-
MD5
5a1d2c9bfbe4d923f2414dbaf301d810
-
SHA1
cbf2fe236fb81816589cc7f7331e18130bf3869d
-
SHA256
0e9f84297e2b0158c7b8ffe7df981ef68e152ff6f0b798b86589a9aa97c8fc77
-
SHA512
aa8a2aa10c0855bbf8a21f47feb0835dcc424f1127b14bd0329fff52892b8d963f0e84d57ed4f01c7992192a000d5a5816f40ae9d0799ed34ac1e4338d12451d
-
SSDEEP
384:E6eHIAx0pqNgHvRl4/UCC8VcAaYRiUiiV7fhqc45u8gNrLRnkYpZ7E:E6eHIMgPRlUUC151Npquv3Rnk+E
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 0e9f84297e2b0158c7b8ffe7df981ef68e152ff6f0b798b86589a9aa97c8fc77N.exe -
Executes dropped EXE 1 IoCs
pid Process 1928 xplorer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xplorer = "C:\\Windows\\xplorer\\xplorer.exe" reg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\xplorer\xplorer.exe 0e9f84297e2b0158c7b8ffe7df981ef68e152ff6f0b798b86589a9aa97c8fc77N.exe File opened for modification C:\Windows\xplorer\xplorer.exe 0e9f84297e2b0158c7b8ffe7df981ef68e152ff6f0b798b86589a9aa97c8fc77N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0e9f84297e2b0158c7b8ffe7df981ef68e152ff6f0b798b86589a9aa97c8fc77N.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe Token: SeDebugPrivilege 1928 xplorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1724 0e9f84297e2b0158c7b8ffe7df981ef68e152ff6f0b798b86589a9aa97c8fc77N.exe 1928 xplorer.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1724 wrote to memory of 2124 1724 0e9f84297e2b0158c7b8ffe7df981ef68e152ff6f0b798b86589a9aa97c8fc77N.exe 88 PID 1724 wrote to memory of 2124 1724 0e9f84297e2b0158c7b8ffe7df981ef68e152ff6f0b798b86589a9aa97c8fc77N.exe 88 PID 1724 wrote to memory of 2124 1724 0e9f84297e2b0158c7b8ffe7df981ef68e152ff6f0b798b86589a9aa97c8fc77N.exe 88 PID 2124 wrote to memory of 3116 2124 cmd.exe 91 PID 2124 wrote to memory of 3116 2124 cmd.exe 91 PID 2124 wrote to memory of 3116 2124 cmd.exe 91 PID 1724 wrote to memory of 1928 1724 0e9f84297e2b0158c7b8ffe7df981ef68e152ff6f0b798b86589a9aa97c8fc77N.exe 92 PID 1724 wrote to memory of 1928 1724 0e9f84297e2b0158c7b8ffe7df981ef68e152ff6f0b798b86589a9aa97c8fc77N.exe 92 PID 1724 wrote to memory of 1928 1724 0e9f84297e2b0158c7b8ffe7df981ef68e152ff6f0b798b86589a9aa97c8fc77N.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e9f84297e2b0158c7b8ffe7df981ef68e152ff6f0b798b86589a9aa97c8fc77N.exe"C:\Users\Admin\AppData\Local\Temp\0e9f84297e2b0158c7b8ffe7df981ef68e152ff6f0b798b86589a9aa97c8fc77N.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HQYIE.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "xplorer" /t REG_SZ /d "C:\Windows\xplorer\xplorer.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3116
-
-
-
C:\Windows\xplorer\xplorer.exe"C:\Windows\xplorer\xplorer.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1928
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124B
MD54e6e99d38b1264af2b53a68c7cd6d648
SHA155ffe17732d1d9c539d702a1311ef9674fe7b3cf
SHA256168d9cdf4849fde3b4817db207e60934b6c877be439289f3fb3a4eb9e4326ff0
SHA512bde21abed1bfc3dbdd6afc83614aa27c3f33dfbb434e139523ac57ecd84875b0e96a241f5828eda0b055f787ec7f95850b0f4ab0ee752ac36484b2bfd78a859d
-
Filesize
96KB
MD5742ffa78efd75ffd0f7da588bb6399a5
SHA14287ec62f8bc1426419b08c7a32c8d4619d3d08c
SHA2565de4ae2efdf0f542a265b4266afe3eab7bf2ec5ab699b45fdf5cecbed08b9b6e
SHA51263d70175275e47166b144dc9d483389d4de97fad5c137205d3ad8076a369b046bc92752a3b60412fb745af70aa90ad9aefa7b1a28801be7e3a076af05c83aed1