Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
102s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/10/2024, 00:08
Static task
static1
Behavioral task
behavioral1
Sample
1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe
Resource
win10v2004-20241007-en
General
-
Target
1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe
-
Size
14KB
-
MD5
2906e9954d3a92a8ef1775fa5e3c2580
-
SHA1
eed8ecc850cb2f9f7200f765e4789897a5c12fbd
-
SHA256
1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26
-
SHA512
09c9ef9fda2f3b5850344d06c4eaf12abea8db44d26531acce526d2694e8149723adbfc9e5de8ded896a56e05bb65c73223d5b153d1193813e7b25802cc787b1
-
SSDEEP
384:FhM8ifXjqMmzP2o9U25j7AkFI/E8mkvha1H94Ni4bhG:FhMr78it25q/EF1H9D49G
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2612 cmd.exe 944 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 944 PING.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1132 wrote to memory of 5092 1132 1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe 91 PID 1132 wrote to memory of 5092 1132 1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe 91 PID 1132 wrote to memory of 5092 1132 1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe 91 PID 5092 wrote to memory of 2708 5092 csc.exe 93 PID 5092 wrote to memory of 2708 5092 csc.exe 93 PID 5092 wrote to memory of 2708 5092 csc.exe 93 PID 1132 wrote to memory of 2612 1132 1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe 94 PID 1132 wrote to memory of 2612 1132 1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe 94 PID 1132 wrote to memory of 2612 1132 1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe 94 PID 2612 wrote to memory of 944 2612 cmd.exe 96 PID 2612 wrote to memory of 944 2612 cmd.exe 96 PID 2612 wrote to memory of 944 2612 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe"C:\Users\Admin\AppData\Local\Temp\1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\svo1gn4e\svo1gn4e.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES85C6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEDDD506DC3584F6B87119C59550C31B.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2708
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe" & move "갛갈갭간갌.exe" "C:\Users\Admin\AppData\Local\Temp\1cfba28c79227b4b9f0ee3022306f74e79ff4ce6a80b47b34ebf4559a00dcd26N.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:944
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e344bf4505c3a682cfc0663dbab6f520
SHA1df6c6a7dfd0730a4b85e0ee177b155199af089bb
SHA256ebdb6b33c7dde70b1cf4c5ad575d86a9e97151b37b85bcbe89fb7ed350b5ef14
SHA51265cd8758509bb975b1cc9fa259fe7001411c6cb93b3868faf7565d3859045606be0da98f4baedc55776e39efcd59eb9eeca45434add60ccc96ef6ec021f09951
-
Filesize
14KB
MD5492d022709caa6fe8fea0986311fe59e
SHA178245de2255b2534357f8aa997fce7453e0c9e92
SHA256c08da2811a0e86a148a1c68c3bd527e83db919ecfd32291bf701c538ced1b54c
SHA5124ce9b6083554acc22ac5373e32f6d1f623ba45a88fece91fafd9dfc040134e3fd8b37e8c4cc54278dacee893172c38f37c70c9f318d1456af8931a25c0893a77
-
Filesize
1KB
MD5a5a77eb087cff7cdaf222ba2cb1be528
SHA180b283cba9a48fd5280cb85af2d4c948af169faf
SHA256fd67818558606ff8e556df0abd3f18b2edbbd06bbfc884a8a5315e0ed78f375c
SHA512ad6ef72e61da8aeb18a7da12ca8db127524577d709e7f96e619c1c51511355b5d187843601526067611e2f1510f2cfbc3a13b2984d3dd85b3148614bad7ac0dc
-
Filesize
23KB
MD542def916e8d5425fc2312c73019b6281
SHA171fbaf74706b4208823f5c9b5ba1efab3782b791
SHA256cebedd75a44db202c50f6667116d8983d7cb17e4742f3fb63d6d77dbd774d42a
SHA5125b814aac2a15ee11cb666a215b4435e27c50cb73cc5e92d23399d01277a1a88bd5992995442677bc12a6e2a665269e034357992e05ca245a9ccae767bf28ce69
-
Filesize
275B
MD5d12b304b2fc9716fa9c61bb59ac727cd
SHA100c6ff6277a10a8bc52e5d4b21cf69ecdc92fda3
SHA256a16487fbd9acea8102e4f06e2250e07c4deebc9b3fc34c03130b5b3c9e7a66ed
SHA51236aeac40e7342c503b45d22b999cc458050d8d910a75e6e2de83c7d1bebb220175fd30dc78e2a0e69168ff629b80254b2c48b413152ccb6490595d4cf37f3ee4