Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2024, 04:30
Static task
static1
Behavioral task
behavioral1
Sample
e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe
Resource
win7-20240903-en
General
-
Target
e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe
-
Size
331KB
-
MD5
43ccc6958f91e07a407881b33286ef05
-
SHA1
7b2ce6400110ceb59534d4b181743db40817293d
-
SHA256
e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3
-
SHA512
42eff49833ea7f7af48eae35844ccc5c1b78eeda22362e38f37faff61540eb84de4ad32b7f7ee1f185ece81c157dbf883fa293678848dac0cf3c86811160fdfa
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYU:vHW138/iXWlK885rKlGSekcj66ci9
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation wuofc.exe -
Executes dropped EXE 2 IoCs
pid Process 4424 wuofc.exe 1632 zyten.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wuofc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zyten.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe 1632 zyten.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3092 wrote to memory of 4424 3092 e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe 90 PID 3092 wrote to memory of 4424 3092 e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe 90 PID 3092 wrote to memory of 4424 3092 e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe 90 PID 3092 wrote to memory of 4736 3092 e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe 91 PID 3092 wrote to memory of 4736 3092 e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe 91 PID 3092 wrote to memory of 4736 3092 e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe 91 PID 4424 wrote to memory of 1632 4424 wuofc.exe 104 PID 4424 wrote to memory of 1632 4424 wuofc.exe 104 PID 4424 wrote to memory of 1632 4424 wuofc.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe"C:\Users\Admin\AppData\Local\Temp\e87e50469e2e9d253c4fdd07a68f29c058e1a12a354482dbe05f99927e19d1b3.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Users\Admin\AppData\Local\Temp\wuofc.exe"C:\Users\Admin\AppData\Local\Temp\wuofc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\zyten.exe"C:\Users\Admin\AppData\Local\Temp\zyten.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1632
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:4736
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5c3482ced7f644d94381c9b12ae15ecc2
SHA1aee03a143b0d88848e660c6a06347c4d327b1a09
SHA256ce3b22efc8692e1f90e4de419cc21f6b3306935da4224298008f4ab995b810fd
SHA512560d86a27e2a4c897fc432f85e8f418d7002372d202bfd76e1ad16e6c671bbec0f66a60059dc1f5d518a183b77cca1f293ce0d735200c77f8d9a02f941cc1041
-
Filesize
512B
MD5daff6e80df7dd04ab02d62256b91e956
SHA176e80153e92dcf8acdea918bc225baec4d55a16f
SHA256104d75d278cd0495e37a47447a082d7d138c6fe57014d17fd0b97896d3920976
SHA51252c889934edaab82b3fceaa24c4c20ac75d305b09eee34e1420d70a3601fa5e31a7b58d6d11c107e13455538a50f42cbf87a3804a6822235d9b3848522c24b58
-
Filesize
331KB
MD53c0cb484d9055d6c594af2d779f225b6
SHA15a59400eb4beeb225b359e1e4f37d863250484dc
SHA256ccd66b9c21acaff5723f8bc7878b1a4fb929d76ba38a1734bcad6215a79b535f
SHA51211534d9bd032aa08dfdc4bb87fa84bd25d83b33df08591e5f17d9c0dbcfe591f229a47b6d47fba320a31ff249e5f4aa1f45206f1e3c78d2d1aece3ef793428a0
-
Filesize
172KB
MD5e9c38eaef57b60ce3308085ed428fd7d
SHA1c55985dfc9079751311d70083921e65af172543f
SHA25686c5dca0991a5fc20d3e912833c3a3ea937938022d56e12f3777c3be049330ee
SHA5120f5c3521e1eefbe07b7aeacf4d49b537959c77539ae3a22cbf97333bea6518be4e88cc9a69b70a80bee8b4c1914d92cdad7883fda77cb707e0979a7f4c8c73f0