Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/10/2024, 05:25
Static task
static1
Behavioral task
behavioral1
Sample
ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe
Resource
win7-20240903-en
General
-
Target
ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe
-
Size
331KB
-
MD5
f0dd240cd2f939bac9a5cdeeaef5bd0f
-
SHA1
2e5da045a18a8fc6e5c511161b81e677f29b81c0
-
SHA256
ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6
-
SHA512
967b5ef74ea32b59dedbb1dc522157b80933585304f2c1f99e0605800599ec500d6325d6d1643566d7488d925756d2ffc79e4c851da3fd2df33b7f00e08ed09c
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYB:vHW138/iXWlK885rKlGSekcj66ciY
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation hosyd.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe -
Executes dropped EXE 2 IoCs
pid Process 1160 hosyd.exe 2948 bebip.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hosyd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bebip.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe 2948 bebip.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 936 wrote to memory of 1160 936 ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe 89 PID 936 wrote to memory of 1160 936 ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe 89 PID 936 wrote to memory of 1160 936 ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe 89 PID 936 wrote to memory of 400 936 ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe 90 PID 936 wrote to memory of 400 936 ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe 90 PID 936 wrote to memory of 400 936 ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe 90 PID 1160 wrote to memory of 2948 1160 hosyd.exe 103 PID 1160 wrote to memory of 2948 1160 hosyd.exe 103 PID 1160 wrote to memory of 2948 1160 hosyd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe"C:\Users\Admin\AppData\Local\Temp\ff72025592c65024ad87548af7431d3003fe8aa28e8d236627c8ddb5b422a5d6.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Users\Admin\AppData\Local\Temp\hosyd.exe"C:\Users\Admin\AppData\Local\Temp\hosyd.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Users\Admin\AppData\Local\Temp\bebip.exe"C:\Users\Admin\AppData\Local\Temp\bebip.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2948
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:400
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD58cd3cff4178cc59d085a3ecf5839d45d
SHA1bd0d82aa555476a6a8a90c114672006cb938cf4a
SHA256ab7d42261a64ff50596b350a591c5365158319d569c6d29093ec63ff149c3010
SHA51226d222a62bf883fbab1bac9b4dab8c019d313b76a6601c9549a0d6f3cb8c41db46ba5eac7d57709290244672561f64c46ab479be170209e67a035c686f311efb
-
Filesize
172KB
MD5d79d1f6251e81eccb29abbcbd85aaf21
SHA1507941fbd66697440753d971dfbb6f3908d1fab4
SHA2564f48d36edc12c517553bfa31829c12dfe633ead0e806943bff279940e543a360
SHA5125addcce53bc85e41c74333ce9f33c06c34cdd97924ed671cd89a4a272da6e9f7e522f6bb3fedf51b1568da3c04650dd85ec9919c8f81889d7f35203a787a4b5d
-
Filesize
512B
MD5beee7355e7fc2c167d48826e5dabcf1e
SHA16b08dc37c5306e95d914f290a7eba56ba28877f4
SHA2561b2972696a1b6f99f6dc579c7a8c4b2e889e3c66dc7b75bc3ea4009f48c249ad
SHA5128495f039a6cf516c200ffe74cecfddcd950a812cd9208d88598e5590597732e97b5d3dfa2eff94e70ac561b16ac875b7fc5757b279e23ddb9f00fbfae64c68f9
-
Filesize
331KB
MD58aac9d79db8c1cbedef9b1252c92e95e
SHA16366c89fa306c80cd263f1bb7421567d34abe389
SHA25683bb127d199e004e780e2f99ed1f059a21b6a2f6a0c58480e661bbfdcc45c1e9
SHA5128d1281ff155bce81074dc4e8cd2cf61fc6dc92b0a8c28b448dff6ce4a06de921cdb15782b1959a1de1aca004afd171ac8adf5ca8a7b9f08bb9fd87eb5dc2f6ac