Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/11/2024, 00:45
Static task
static1
Behavioral task
behavioral1
Sample
9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe
Resource
win10v2004-20241007-en
General
-
Target
9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe
-
Size
78KB
-
MD5
b747158e23a0fea4441da26bf0aa6640
-
SHA1
f9688cabec432f1f88eb5d1c7f123ad5df1f05f4
-
SHA256
9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4
-
SHA512
ab66a528060c7078c2c17b14d8fc32b4ded0d27e7f258fbc08a3147af2242b2f31cd54c6688839352ddd21713e5a20c228bf7a245cfae0d111107fc5f2771f3a
-
SSDEEP
1536:Je5jSgpJywt04wbje37TazckwzW4UfSqRovPtoY0BQtC6R9/nb1iH:Je5jSeJywQj2TLo4UJuXHhZ9/nm
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe -
Executes dropped EXE 1 IoCs
pid Process 5108 tmp6BCA.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp6BCA.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3608 9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe Token: SeDebugPrivilege 5108 tmp6BCA.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3608 wrote to memory of 4172 3608 9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe 83 PID 3608 wrote to memory of 4172 3608 9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe 83 PID 3608 wrote to memory of 4172 3608 9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe 83 PID 4172 wrote to memory of 936 4172 vbc.exe 85 PID 4172 wrote to memory of 936 4172 vbc.exe 85 PID 4172 wrote to memory of 936 4172 vbc.exe 85 PID 3608 wrote to memory of 5108 3608 9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe 86 PID 3608 wrote to memory of 5108 3608 9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe 86 PID 3608 wrote to memory of 5108 3608 9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe"C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oi6to-vh.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E3B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDB32D55AA86C427C8EF7777DA2C39ED4.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:936
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp6BCA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6BCA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5108
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD579d8952620bf6d0995f99593c375df94
SHA14936833786c64491698fcf7605ddde5059388e94
SHA25690bd4ca85f725de8680141ec1e1ab57027261c4d5e8a89c72744265399aef86f
SHA512e34a0b07ac491e0c4487cd3782c23a3240507610a34a433497a72fba584236d0ab4eae2112267cb36db81a7456f9166e43604f949d895c4aff0ea64002ad0d7d
-
Filesize
14KB
MD5d858874e6fedd9dcd36f7782d84304fa
SHA182aa28fe8e5acaca1782cb8b66cc40331481f8b1
SHA256cb1a74e2d2bc97c765246b0e708343423727a14bd90b6321a798770af510bcdd
SHA512bc44d3f5b32d6508f9e7950a8b872c4f153b133048519f984d8468df07bf7c7f8e5b2714f14f47d5db899baadef3c859fe5f49299f732d9c048a5fd2f5feb390
-
Filesize
266B
MD5d610c8d7dcaa3aeea411cec96e4924c1
SHA1d5e7e9e626bdd7540f33b63db396eafa92ce874c
SHA25681b1eae818e434a62b242964a9b54fa26a634190aaba2015438ae0753a746e2e
SHA512aaa6d50685036c1eeeb6057bbdc9dd768eb733649eef19f209ff11c48c037ff691d20971d621e18348b5611ce5ec8175bad11c71cc1f85f47f4536234eb8274d
-
Filesize
78KB
MD598dc8f8e9150e5a85ef5e27e0b8066ca
SHA19f3453d995835080d4970a51d4e7998c933ff571
SHA25666d54a16dd19741c0015b91c929d114f26cda37fa0d95761636acc8dc2ce96aa
SHA5126d188b42c56b8528d7ca342d05d4a8a0c6c67eec0774a0250567af54fb72c883474d3812ad03dae7dad586d4185e3692f5041b350a0a865c994c6079ff7ef7ab
-
Filesize
660B
MD5e9d7619c1d2546e2dab4628ae1f0ea1c
SHA129a59d5f2898abdc304d38b31527f231554eab63
SHA256d1e956b1bfca28ee13b6fe03ee4a5f603b54a6603ddad4a17faacaec5131900c
SHA5129aa985f1fc3a03b96c7484b8d1a594427cce6ded3f62ec10607349d1a6a2e77c570e27a7b2495c9bcf6224420f8fd78ebd94a9e057d54381c4d96c8a6e51affc
-
Filesize
62KB
MD58008b17644b64cea2613d47c30c6e9f4
SHA14cd2935358e7a306af6aac6d1c0e495535bd5b32
SHA256fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55
SHA5120c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea