Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2024, 01:02
Static task
static1
Behavioral task
behavioral1
Sample
ad9a72ffd516fe8bc888115cf1beda8cac2c8f17d5a0a82351bad1ccf517cc43.exe
Resource
win7-20240708-en
General
-
Target
ad9a72ffd516fe8bc888115cf1beda8cac2c8f17d5a0a82351bad1ccf517cc43.exe
-
Size
330KB
-
MD5
2dd959c6e1effb6abe46f94d0702b2f5
-
SHA1
77b2edad9d60e05a74840a598a7797e47c42a885
-
SHA256
ad9a72ffd516fe8bc888115cf1beda8cac2c8f17d5a0a82351bad1ccf517cc43
-
SHA512
ac666070e68302e8092b1a180f69ae71c808a75b99813e7c2c55d26bc7fc007ef7724ce616a8652565bf78c71011bac6f04b2b628a1f7a6d559ff5b9314ae1a7
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVN:vHW138/iXWlK885rKlGSekcj66ciEN
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation ad9a72ffd516fe8bc888115cf1beda8cac2c8f17d5a0a82351bad1ccf517cc43.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation uhtoy.exe -
Executes dropped EXE 2 IoCs
pid Process 1388 uhtoy.exe 2912 lynud.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ad9a72ffd516fe8bc888115cf1beda8cac2c8f17d5a0a82351bad1ccf517cc43.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uhtoy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lynud.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe 2912 lynud.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1168 wrote to memory of 1388 1168 ad9a72ffd516fe8bc888115cf1beda8cac2c8f17d5a0a82351bad1ccf517cc43.exe 87 PID 1168 wrote to memory of 1388 1168 ad9a72ffd516fe8bc888115cf1beda8cac2c8f17d5a0a82351bad1ccf517cc43.exe 87 PID 1168 wrote to memory of 1388 1168 ad9a72ffd516fe8bc888115cf1beda8cac2c8f17d5a0a82351bad1ccf517cc43.exe 87 PID 1168 wrote to memory of 4076 1168 ad9a72ffd516fe8bc888115cf1beda8cac2c8f17d5a0a82351bad1ccf517cc43.exe 88 PID 1168 wrote to memory of 4076 1168 ad9a72ffd516fe8bc888115cf1beda8cac2c8f17d5a0a82351bad1ccf517cc43.exe 88 PID 1168 wrote to memory of 4076 1168 ad9a72ffd516fe8bc888115cf1beda8cac2c8f17d5a0a82351bad1ccf517cc43.exe 88 PID 1388 wrote to memory of 2912 1388 uhtoy.exe 110 PID 1388 wrote to memory of 2912 1388 uhtoy.exe 110 PID 1388 wrote to memory of 2912 1388 uhtoy.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad9a72ffd516fe8bc888115cf1beda8cac2c8f17d5a0a82351bad1ccf517cc43.exe"C:\Users\Admin\AppData\Local\Temp\ad9a72ffd516fe8bc888115cf1beda8cac2c8f17d5a0a82351bad1ccf517cc43.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Users\Admin\AppData\Local\Temp\uhtoy.exe"C:\Users\Admin\AppData\Local\Temp\uhtoy.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Users\Admin\AppData\Local\Temp\lynud.exe"C:\Users\Admin\AppData\Local\Temp\lynud.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2912
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:4076
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD523711745137f60f536ecd30106ce5d6f
SHA1bedbfff2c9fbc138a78a3d1c0bde391a363d6c97
SHA256f9416d13ebeddc0f2f679e8cfe904d11dc2b36f18caed57b4bb8aaca87af34ac
SHA51297777e6997e64424650f83ad22a7c2bd553e9f6d021602853c182c81646d956c87c65fc20ec05e28669a55acce5a4736e523dbbc2c74852ad9d3c5b4494d6482
-
Filesize
512B
MD59e922a97590c667ace3f5b0e023d8221
SHA1f52c1e81d6c7b2b64e3b02d3c0dfff2cb3caefb8
SHA256055b90fa4ed66226af3a2d6813135ee1dfb47db31f6dce34696f3db4fb291a2a
SHA512b8d2574a06929a0a21d9d0807ae1635047dfab59be4dc86bf0f83320ed17fef66587c622a948bdae4a709cc7fd253ed6818a13191d1c06c9f1f3c0de1aff44f9
-
Filesize
172KB
MD546d6966136775965eb30f4c144c2885f
SHA18ac28e5c6c1b089af681e28c881f1ad69e779417
SHA2567ef63c5946354331b39cc7cb191024396cff12f44dafb5a7c48aafc655a01dc9
SHA512d8cec70c770abd9e328cb7bb9a723eb1bab72aee7788d1e8ad71350ada195338c037d8f21f7ceb2b7f66584cbb8c7b4e49401f03501c97bf8458a8cdb17b0f36
-
Filesize
330KB
MD57a3f11834f77bd1b6b1ddd1521a72c01
SHA161d4a7cf0d5ff9e8de4750eed4377fe3c4daa55b
SHA2565d3bf68b83c1713a8bee18b1f555ad951ac90af4c746e22b07a71950429ccd3a
SHA512dcf9d089696dbcc7f1da9c136e73019ad7d1f2542dd191a9c7e2809092cfcf6fd332f378d1544f9252a354059017bbd5374306b4d61b495a222cd600b770564b