Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    86s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2024, 21:35

General

  • Target

    1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe

  • Size

    88KB

  • MD5

    921a82bd0fe814e8c9a529e8c1d3ae40

  • SHA1

    7aabea2c09e17f31d3d5ce8b7134c25ecebcca97

  • SHA256

    1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6

  • SHA512

    62600508aa8e687abb160bb2ffbe01f6dbe07598309c8a8e1c97d5ebe8d650db76d144d38c67ec1e045e918e22ed881b1be19c539d7e3699558181b1e7c28647

  • SSDEEP

    768:VEQospn+18nOeTmI2G1VT6lnKCJaLVgJITFzEJ+y0cdGinm1ZzdBoEb+:wF18nOebn+baL0wisoES

Malware Config

Signatures

  • Renames multiple (1294) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 46 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Runs .reg file with regedit 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe
    "C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:624
    • C:\Windows\SysWOW64\Regedit.exe
      Regedit.exe /s C:\Users\Admin\AppData\Local\Temp\1.reg
      2⤵
      • System Location Discovery: System Language Discovery
      • Runs .reg file with regedit
      PID:3604
    • C:\Windows\SysWOW64\Regedit.exe
      Regedit.exe /s C:\Users\Admin\AppData\Local\Temp\2.reg
      2⤵
      • System Location Discovery: System Language Discovery
      • Runs .reg file with regedit
      PID:3316
    • C:\Windows\SysWOW64\Regedit.exe
      Regedit.exe /s C:\Users\Admin\AppData\Local\Temp\3.reg
      2⤵
      • System Location Discovery: System Language Discovery
      • Runs .reg file with regedit
      PID:3728
    • C:\Windows\SysWOW64\Regedit.exe
      Regedit.exe /s C:\Users\Admin\AppData\Local\Temp\4.reg
      2⤵
      • System Location Discovery: System Language Discovery
      • Runs .reg file with regedit
      PID:2540
    • C:\Windows\SysWOW64\Regedit.exe
      Regedit.exe /s C:\Users\Admin\AppData\Local\Temp\5.reg
      2⤵
      • System Location Discovery: System Language Discovery
      • Runs .reg file with regedit
      PID:1804
    • C:\Windows\SysWOW64\Regedit.exe
      Regedit.exe /s C:\Users\Admin\AppData\Local\Temp\6.reg
      2⤵
      • System Location Discovery: System Language Discovery
      • Runs .reg file with regedit
      PID:3724
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\WinExec.exe.vbs"
      2⤵
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:4772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1.reg

    Filesize

    169B

    MD5

    1b8aa9c4579e695f722c7efeb62b1ceb

    SHA1

    efd42acaefecbabbad2712c61b499c86cf587ed9

    SHA256

    6f5d42baf0d55a215ee384479a8881e8781eb4302893abc85ae8b2219dbfc87e

    SHA512

    85947a9a2c9aa0eeb2b13f1e1dfd8cee0c3c584ecadfde981ca8c6876afcf4b493872520138b0f172ab5875e2a655a9e2880cb72b9ed7bcf205b9fb8d7a6473d

  • C:\Users\Admin\AppData\Local\Temp\2.reg

    Filesize

    170B

    MD5

    3cf886f68272009e51bf760ff02f2fd1

    SHA1

    1c8d1db4f21738cf3345a5f8934920282d8aaf27

    SHA256

    69a21a0cd503689fc61f0aef1803a4addf742ca55e6c1c60595a3dc435eb275c

    SHA512

    c98169b4e3ad37339b6e465c436c8f67413e6c2ea32a1ce44c75ee6d39947b3ac9ac3e8ee06cda962e22484c1fe52f5242f197155975ab94c15ad8700392fe2f

  • C:\Users\Admin\AppData\Local\Temp\3.reg

    Filesize

    175B

    MD5

    c0a6a61f9509d470195892991d17f51f

    SHA1

    db566bf2c08894eaf3032e7c0aff68d01d99b382

    SHA256

    ad94ca231b24a4d7cd6f34fd009e8eddf9d09114fbfd7bab287c2e88479ad700

    SHA512

    93680d6353ead2899c6070deeef60d57ec67323bad090fcae2b9c47e0748640345379ed4607646068772e11487f1915851809de0245a29263a50dd0755ccfb69

  • C:\Users\Admin\AppData\Local\Temp\4.reg

    Filesize

    139B

    MD5

    7ff9ca1a78edea205480a199f18c3c52

    SHA1

    39ce114f5ce61f5de55485d953d7194e377f80ad

    SHA256

    bf70e43d27eb1e179e22f22721060a162d28f202ffaa09848d68bb36d15e1dcb

    SHA512

    80b89528a49716d1215da373a8d84c68c2acf29ff085f3a8694f4d3294f16e7238e3f41c63eae481596de58f772dbfe8ef10f300cc58c75eb748c195364e1c94

  • C:\Users\Admin\AppData\Local\Temp\5.reg

    Filesize

    140B

    MD5

    3e3b711f00fddb7bd82e6ca38be79af9

    SHA1

    a3c9ee6e8e8d9617c3814c9f3f31c50a2ca80e42

    SHA256

    776c84a44d9c7da404aae26d8238b242b4ec8a49c66bddf564104fec4e126acf

    SHA512

    c403865f368333a1f849c5ae379c36fdc8f96bc8e235d8e5680d1866d65ba4eeed402292aeb8f8ed7891a91081db8b1721bc3647e7e07b74f3590ebe5c44e8b2

  • C:\Users\Admin\AppData\Local\Temp\6.reg

    Filesize

    145B

    MD5

    605e06f594a02d384a023169fd6da5e6

    SHA1

    c61c8ab826851d808ee55fbc90073da44c1efa99

    SHA256

    92f0a278cf25a44853b5af65f54f29cb62c4c3c1cf9d368e4ac90f70f0d79a28

    SHA512

    fc5be0eccb6100c1280f351b53dd39930f2731751d67d253d2623029f49f0d9f931b43b3e2072ad11c7db2b944b579d03ef761801dae02d240ac7c8d643cf79d

  • C:\Windows\MSIEXEC32.EXE

    Filesize

    88KB

    MD5

    921a82bd0fe814e8c9a529e8c1d3ae40

    SHA1

    7aabea2c09e17f31d3d5ce8b7134c25ecebcca97

    SHA256

    1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6

    SHA512

    62600508aa8e687abb160bb2ffbe01f6dbe07598309c8a8e1c97d5ebe8d650db76d144d38c67ec1e045e918e22ed881b1be19c539d7e3699558181b1e7c28647

  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\ErrorPageStyles.css.vbs

    Filesize

    57KB

    MD5

    0acb2045c25d91efe3d67166b650101a

    SHA1

    76c503ec1d87b8358eb8e226086baef23eb298cc

    SHA256

    deb9bfc6d236a35310eaa6c23cebb1542fbc2eab801285b87c4b828f22627091

    SHA512

    d9fbcab6ed8840e9b83fb83012db2d6895749ebd999a3676791c84449e9cbb0089ef111ad2a2aa1fe87a8a320cf52cf9df3b3f6ca9ac266f39cc290f95a3c466

  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\PhishSiteStyles.css.vbs

    Filesize

    5KB

    MD5

    3517207921bc421e52b64ede4226134f

    SHA1

    67da2033c4b3eddf347433ac4e79e4a1379eaf81

    SHA256

    c34a78268a7338d1e5d1c0f0c44e5a8cc78f670d8c871261b6f8d302e0b29176

    SHA512

    713cd6ad7d14252ff9ed43898c1132968a306933c6b4c46327d07a945c1989ba8f5d149bbd8ffb59c211979e7c783e9c22bf6dec6c08e0bd46517411ddf0a546

  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\TridentErrorPageStyles.css.vbs

    Filesize

    4KB

    MD5

    559a66b58cf5163690ab75559c8801fb

    SHA1

    b334704e65d0b492e78e71f65f455383060ac067

    SHA256

    807ebc19ab4a95f4f03096c7e6acca70d263fdf256d62484270a7ce539443272

    SHA512

    2a57029f8957a47a1d873c8e08c283c929c43e21e8c18764c8ca2ff812eaf999aabd9f28574f69d0a70437912c2a7d90909745c0b590a927fb5c73aa98c52a6f

  • C:\Windows\WinExec.exe.vbs

    Filesize

    215KB

    MD5

    41cea5604b6bd6971deca5227766eaee

    SHA1

    b4f1fe5c9f56ffe92e9aae018ee7146b5b1d6c51

    SHA256

    595d16fada5b5b80331b1b49ee39dba522cf17cf111be920ba596d01f85fa93d

    SHA512

    0b15fca5c5761c3c489c419f01dd8c918385ea837b5fb10db184c8cd08e8811c0547f00a90f7dd8ccb73e1907f55f2b4c7574547dd8a35a4d46bcc37575ab6a0

  • memory/624-0-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB