Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/10/2024, 00:53
Static task
static1
Behavioral task
behavioral1
Sample
965ba28048f83c5fd444603933420e9d22f46f9e20709c03850a9a5824659fda.exe
Resource
win7-20241010-en
General
-
Target
965ba28048f83c5fd444603933420e9d22f46f9e20709c03850a9a5824659fda.exe
-
Size
331KB
-
MD5
04585503f45c29d7aed015e16dfe1682
-
SHA1
59536b0d44f93421d6179d63866f9d49fc83d6f5
-
SHA256
965ba28048f83c5fd444603933420e9d22f46f9e20709c03850a9a5824659fda
-
SHA512
beaed660a7fd8123b30c2610e16dca0f488b4f292d85e0eafa418a1cb1f02a47be68c00c9277a10664d31e01797f24fa7aaeb31afed09143ec55406adfe4eb22
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYN:vHW138/iXWlK885rKlGSekcj66ciw
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 965ba28048f83c5fd444603933420e9d22f46f9e20709c03850a9a5824659fda.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation cauvz.exe -
Executes dropped EXE 2 IoCs
pid Process 2588 cauvz.exe 4592 hufig.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 965ba28048f83c5fd444603933420e9d22f46f9e20709c03850a9a5824659fda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cauvz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hufig.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe 4592 hufig.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4940 wrote to memory of 2588 4940 965ba28048f83c5fd444603933420e9d22f46f9e20709c03850a9a5824659fda.exe 89 PID 4940 wrote to memory of 2588 4940 965ba28048f83c5fd444603933420e9d22f46f9e20709c03850a9a5824659fda.exe 89 PID 4940 wrote to memory of 2588 4940 965ba28048f83c5fd444603933420e9d22f46f9e20709c03850a9a5824659fda.exe 89 PID 4940 wrote to memory of 3528 4940 965ba28048f83c5fd444603933420e9d22f46f9e20709c03850a9a5824659fda.exe 90 PID 4940 wrote to memory of 3528 4940 965ba28048f83c5fd444603933420e9d22f46f9e20709c03850a9a5824659fda.exe 90 PID 4940 wrote to memory of 3528 4940 965ba28048f83c5fd444603933420e9d22f46f9e20709c03850a9a5824659fda.exe 90 PID 2588 wrote to memory of 4592 2588 cauvz.exe 104 PID 2588 wrote to memory of 4592 2588 cauvz.exe 104 PID 2588 wrote to memory of 4592 2588 cauvz.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\965ba28048f83c5fd444603933420e9d22f46f9e20709c03850a9a5824659fda.exe"C:\Users\Admin\AppData\Local\Temp\965ba28048f83c5fd444603933420e9d22f46f9e20709c03850a9a5824659fda.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\cauvz.exe"C:\Users\Admin\AppData\Local\Temp\cauvz.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\hufig.exe"C:\Users\Admin\AppData\Local\Temp\hufig.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4592
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:3528
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD57e54542f6006fc0f7e9a20a367042d0b
SHA11876a468b71c69440b14b151cec2b236d5da990c
SHA256e0f9e746e86d81c2b292190ecf44fe2b9f877a9dbe4cbd5f50332059032a29f4
SHA5125a14eb1d1b7b3dda369faef1dc3995af591740cc98750e8368889e97d2afea13153eaacf87c9e02998fa5cac9711a0ae2c0964c56fd0683d0622702bfe423cb2
-
Filesize
331KB
MD576d90a8adc38856ba579830e9f74cde8
SHA16d74cbfac1285ec5f5187c7dfc9ef0de6308a874
SHA25665682920199f3c9afe10137c81204fe146b52fe1497c2116010ae245872c04ab
SHA51237556c05984b366591601ea30068cf63e2971b653479709dfb8b24c47a9f2de7abf1a2225307faee20486829b8d1769c7ea96f93eb80b63906e7a08e5ec8c1d9
-
Filesize
512B
MD5210b0b76ca90c2ee9e1c154216845db8
SHA121a82d1c84f432219a3b583c595cdef34aae53f1
SHA256f69dc57d6039dbe2fb41f45021867ec20d1ca3e900fad54cec03e5e14e88f09a
SHA512e21f2383b79b6bf9083f6a912de4a3626cc8f52191a7f578e168a554e233c7e288e7f914dfd233889fa1b207750f2a4c0c95fc3d83bab77d84523d814e7a08df
-
Filesize
172KB
MD53280439ca757ff92bb95e19036bf1c64
SHA1887ffdb044168a2133750fe6ffdc3db91611717f
SHA256901c243a527c462f2037a37f3bb44cd20ca072b16bcee9f152a959d5c2185337
SHA5129a1e4d66268e000966350d327d4aa44428cea758139886108c5dbc6961ef4b437fbb5c79e5381926a048bd7239a66f9075ea1fe016175977cd75c2c148273c20