Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2024, 11:34
Static task
static1
Behavioral task
behavioral1
Sample
fe9b4ff710fb1fba38766d067d87c7b652d003c5d3371e9d37d60e591ccab86bN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fe9b4ff710fb1fba38766d067d87c7b652d003c5d3371e9d37d60e591ccab86bN.exe
Resource
win10v2004-20241007-en
General
-
Target
fe9b4ff710fb1fba38766d067d87c7b652d003c5d3371e9d37d60e591ccab86bN.exe
-
Size
30KB
-
MD5
48b42045cfa251cbf51d4a15f77ad3f0
-
SHA1
c134490623201c280301882f3e8fb747a0716269
-
SHA256
fe9b4ff710fb1fba38766d067d87c7b652d003c5d3371e9d37d60e591ccab86b
-
SHA512
28a7221e6077a52d45364d22678d5fd66712f5efa44aa6dc8bf529abcbe053a4ad841b9e55f82d9af89634517d4bc58326fcf9de87cd7c135beb99ba4e68e269
-
SSDEEP
384:v/4LNJY74JwOllSBQmrb0i5PrmqHIKpa54b5f0iws0wGXeAcSn:v/qSamrxDmqoKM4Z0iwtwAKSn
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3888 2024101311.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fe9b4ff710fb1fba38766d067d87c7b652d003c5d3371e9d37d60e591ccab86bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024101311.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1020 fe9b4ff710fb1fba38766d067d87c7b652d003c5d3371e9d37d60e591ccab86bN.exe 3888 2024101311.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1020 wrote to memory of 3888 1020 fe9b4ff710fb1fba38766d067d87c7b652d003c5d3371e9d37d60e591ccab86bN.exe 83 PID 1020 wrote to memory of 3888 1020 fe9b4ff710fb1fba38766d067d87c7b652d003c5d3371e9d37d60e591ccab86bN.exe 83 PID 1020 wrote to memory of 3888 1020 fe9b4ff710fb1fba38766d067d87c7b652d003c5d3371e9d37d60e591ccab86bN.exe 83 PID 1020 wrote to memory of 748 1020 fe9b4ff710fb1fba38766d067d87c7b652d003c5d3371e9d37d60e591ccab86bN.exe 85 PID 1020 wrote to memory of 748 1020 fe9b4ff710fb1fba38766d067d87c7b652d003c5d3371e9d37d60e591ccab86bN.exe 85 PID 1020 wrote to memory of 748 1020 fe9b4ff710fb1fba38766d067d87c7b652d003c5d3371e9d37d60e591ccab86bN.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe9b4ff710fb1fba38766d067d87c7b652d003c5d3371e9d37d60e591ccab86bN.exe"C:\Users\Admin\AppData\Local\Temp\fe9b4ff710fb1fba38766d067d87c7b652d003c5d3371e9d37d60e591ccab86bN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Users\Admin\AppData\Local\Temp\2024101311.exeC:\Users\Admin\AppData\Local\Temp\2024101311.exe down2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3888
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\del.bat2⤵
- System Location Discovery: System Language Discovery
PID:748
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
30KB
MD568aadd4d6fea7efc2eb7ef0f3e5667ad
SHA15800548288627f4e56075d5eda17a3150d8c08ca
SHA25698ec460becb04a8b9e548960144557936887c6a769c8ce0a21eb12668ac061b1
SHA5127762f98e2e777c06f938cd60dfb19ce8144047126e314cba361d04ee9acff8ec197dee47248ab6b5d17d7e4f6fef0ab0bd94202e22feb49a1e2e24d57da630a9
-
Filesize
270B
MD554aed559f06560e28f00e63635d5b9bb
SHA19e53d7b49af650185a399d0d9660f1c9cc7683b7
SHA256ab08bc774d1193d52e9db19f2f51d5c642796b62ef7075bcd9c6ce80bbba7371
SHA512bf495b38e44256d6cd7990add37094d9b4379d5af6a81255755433bd64cfc3e3b94fad42d55b491263c00979132647a35801fe590163fd027d9e3b7b7a5dcd87