Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/12/2024, 11:42
Static task
static1
Behavioral task
behavioral1
Sample
5a95bdc402fce462b7a10075b388329eb233957bfaa3dac638d6603379658510.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5a95bdc402fce462b7a10075b388329eb233957bfaa3dac638d6603379658510.exe
Resource
win10v2004-20241007-en
General
-
Target
5a95bdc402fce462b7a10075b388329eb233957bfaa3dac638d6603379658510.exe
-
Size
14KB
-
MD5
21938675d58e4ff496bae09c18d52165
-
SHA1
256ceaa96ae692bcb5739f5cad892992546e5d1e
-
SHA256
5a95bdc402fce462b7a10075b388329eb233957bfaa3dac638d6603379658510
-
SHA512
6ed617469c91bb1a40758bea6c769b1b6a568a3ea47ec974929bed176cc1fb8a49211ee06aab9aaf66d9ae9afb2efc7f4bc0352bff478bad5c463bfe613ec20c
-
SSDEEP
192:HsBPEKR1JfsU02Joj8fwDeaY7UYYJ213grR+R8rxJdq/hIRuB:HGmxaKDPY7YAJax/ohIR0
Malware Config
Extracted
metasploit
windows/exec
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5a95bdc402fce462b7a10075b388329eb233957bfaa3dac638d6603379658510.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2036 wrote to memory of 2456 2036 5a95bdc402fce462b7a10075b388329eb233957bfaa3dac638d6603379658510.exe 84 PID 2036 wrote to memory of 2456 2036 5a95bdc402fce462b7a10075b388329eb233957bfaa3dac638d6603379658510.exe 84 PID 2036 wrote to memory of 2456 2036 5a95bdc402fce462b7a10075b388329eb233957bfaa3dac638d6603379658510.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a95bdc402fce462b7a10075b388329eb233957bfaa3dac638d6603379658510.exe"C:\Users\Admin\AppData\Local\Temp\5a95bdc402fce462b7a10075b388329eb233957bfaa3dac638d6603379658510.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c malware.exe2⤵
- System Location Discovery: System Language Discovery
PID:2456
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
189B
MD5bd34e21bb7acb0e565fc228752de6579
SHA15e9bccfd302c30d53094b984155fa2054d53c6bf
SHA256a87a56079e2f0a9ae3cf41d6c274c6e57c91dbf9849a3b250faeab46a4b50021
SHA5129a049fc798cb737ca7ccb771c9002bd9376223dde45d57d55e2cad6a95a51f3b3268ac5b2c92a9d5650ac71a67a52b8d193f649e79382ed460f4dd42442cd00d