Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/11/2024, 17:12
Behavioral task
behavioral1
Sample
e2a8a9d61a0a5c4ba2e3c5717da1cd40c3bc5bfe8d1bbf5429e9837fc2a9118f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e2a8a9d61a0a5c4ba2e3c5717da1cd40c3bc5bfe8d1bbf5429e9837fc2a9118f.exe
Resource
win10v2004-20241007-en
General
-
Target
e2a8a9d61a0a5c4ba2e3c5717da1cd40c3bc5bfe8d1bbf5429e9837fc2a9118f.exe
-
Size
811KB
-
MD5
f6b3b7a302a1c13691b59b6237f7e9bc
-
SHA1
f6965076f5854f806f7561a31375db0a023c8df2
-
SHA256
e2a8a9d61a0a5c4ba2e3c5717da1cd40c3bc5bfe8d1bbf5429e9837fc2a9118f
-
SHA512
6d8e0a3a6dbc88dda6a6ff5b5876df1fc6eb68daca2748870232399702cee0f0af1e73d14432c48287a434c8685f327b602ead2ccc2928d05f56a5e7fe2bb543
-
SSDEEP
6144:oJen3OZTtGpDBA872WzrrBCiX1hM6UhevMY/YrwnrVXAJsB3g7bgvI3jjZ6ir2Rw:oJa8EFAszrrBqLYvCmxAWNbA3GGkgd
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation e2a8a9d61a0a5c4ba2e3c5717da1cd40c3bc5bfe8d1bbf5429e9837fc2a9118f.exe -
Executes dropped EXE 2 IoCs
pid Process 2544 Derrubar Facebook 2015 Funcional.exe 3756 Server trojan.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Server trojan.exe2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Server trojan.exe" e2a8a9d61a0a5c4ba2e3c5717da1cd40c3bc5bfe8d1bbf5429e9837fc2a9118f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3824 3756 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2a8a9d61a0a5c4ba2e3c5717da1cd40c3bc5bfe8d1bbf5429e9837fc2a9118f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Derrubar Facebook 2015 Funcional.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server trojan.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1956 e2a8a9d61a0a5c4ba2e3c5717da1cd40c3bc5bfe8d1bbf5429e9837fc2a9118f.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1956 wrote to memory of 2544 1956 e2a8a9d61a0a5c4ba2e3c5717da1cd40c3bc5bfe8d1bbf5429e9837fc2a9118f.exe 83 PID 1956 wrote to memory of 2544 1956 e2a8a9d61a0a5c4ba2e3c5717da1cd40c3bc5bfe8d1bbf5429e9837fc2a9118f.exe 83 PID 1956 wrote to memory of 2544 1956 e2a8a9d61a0a5c4ba2e3c5717da1cd40c3bc5bfe8d1bbf5429e9837fc2a9118f.exe 83 PID 1956 wrote to memory of 3756 1956 e2a8a9d61a0a5c4ba2e3c5717da1cd40c3bc5bfe8d1bbf5429e9837fc2a9118f.exe 84 PID 1956 wrote to memory of 3756 1956 e2a8a9d61a0a5c4ba2e3c5717da1cd40c3bc5bfe8d1bbf5429e9837fc2a9118f.exe 84 PID 1956 wrote to memory of 3756 1956 e2a8a9d61a0a5c4ba2e3c5717da1cd40c3bc5bfe8d1bbf5429e9837fc2a9118f.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2a8a9d61a0a5c4ba2e3c5717da1cd40c3bc5bfe8d1bbf5429e9837fc2a9118f.exe"C:\Users\Admin\AppData\Local\Temp\e2a8a9d61a0a5c4ba2e3c5717da1cd40c3bc5bfe8d1bbf5429e9837fc2a9118f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\Derrubar Facebook 2015 Funcional.exe"C:\Users\Admin\AppData\Local\Temp\Derrubar Facebook 2015 Funcional.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2544
-
-
C:\Users\Admin\AppData\Local\Temp\Server trojan.exe"C:\Users\Admin\AppData\Local\Temp\Server trojan.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3756 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 4483⤵
- Program crash
PID:3824
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3756 -ip 37561⤵PID:2840
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
274KB
MD53c742bbf590e2c5df59cfa715df43936
SHA1c229ecd2d9a39ca3addf8266815c5cd061538a55
SHA25663eccb45ae9c896b159a518fe408f8b11f2854260696d0c9121fe4230dd3f455
SHA512c9f951bb9e026cea6e354cdb2a8697c8cb279fba2dca2874d345d79d32686b36b7f962a93150e103002dc613b547b5e8522781902396f206cddb94f030f89fd9
-
Filesize
232KB
MD51f2f2caea8d98b4e8b8ee71c399dbdf0
SHA16d0de226a7f9e1dd2c5328c0f722fd621d6e0314
SHA256ba58347ae01e7077753c71332b5c72585259d8501c26ec9a534e9af28dba7cf4
SHA51288d11d60ce2e9085ec0607c09a0b1cd4aba11ff8001130661ddbb00bf8c7860f3ee535c4933b1a4de23a525b983bb142de3286f50b15e24e05a19376ea81dd91