Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20250207-en -
resource tags
arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system -
submitted
10/02/2025, 01:15
Behavioral task
behavioral1
Sample
1f2082894179434f7f9180d3cf553d056755df6af57f6117bd3237486c6478db.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1f2082894179434f7f9180d3cf553d056755df6af57f6117bd3237486c6478db.exe
Resource
win10v2004-20250207-en
General
-
Target
1f2082894179434f7f9180d3cf553d056755df6af57f6117bd3237486c6478db.exe
-
Size
1.2MB
-
MD5
2a03b08eba89b4d692752ee2501a3cd1
-
SHA1
0cf46736c4c12373645950f3942d73e853e3787b
-
SHA256
1f2082894179434f7f9180d3cf553d056755df6af57f6117bd3237486c6478db
-
SHA512
c94eff8f0d84fd7216771c90e1666cd69ad469d9749547dbe49dd641f3c52e4ebf42856d225743f2f95b589fb98437975cc553754f6b8f37460b16b18c7bffc0
-
SSDEEP
24576:rsS04YNEMuExDiU6E5R9s8xY/2l/d0J5dtsPxNGf52Ibt+ra:rE4auS+UjfU2Tg5XDB2Ibt+r
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation 1f2082894179434f7f9180d3cf553d056755df6af57f6117bd3237486c6478db.exe -
Executes dropped EXE 1 IoCs
pid Process 1888 AudioDriver.exe -
Loads dropped DLL 1 IoCs
pid Process 1888 AudioDriver.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini 1f2082894179434f7f9180d3cf553d056755df6af57f6117bd3237486c6478db.exe File opened for modification C:\Windows\assembly\Desktop.ini 1f2082894179434f7f9180d3cf553d056755df6af57f6117bd3237486c6478db.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly 1f2082894179434f7f9180d3cf553d056755df6af57f6117bd3237486c6478db.exe File created C:\Windows\assembly\Desktop.ini 1f2082894179434f7f9180d3cf553d056755df6af57f6117bd3237486c6478db.exe File opened for modification C:\Windows\assembly\Desktop.ini 1f2082894179434f7f9180d3cf553d056755df6af57f6117bd3237486c6478db.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1f2082894179434f7f9180d3cf553d056755df6af57f6117bd3237486c6478db.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AudioDriver.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4976 MicrosoftEdgeUpdate.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1888 AudioDriver.exe 1888 AudioDriver.exe 1888 AudioDriver.exe 1888 AudioDriver.exe 1888 AudioDriver.exe 1888 AudioDriver.exe 1888 AudioDriver.exe 1888 AudioDriver.exe 1888 AudioDriver.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1888 AudioDriver.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1200 wrote to memory of 1888 1200 1f2082894179434f7f9180d3cf553d056755df6af57f6117bd3237486c6478db.exe 86 PID 1200 wrote to memory of 1888 1200 1f2082894179434f7f9180d3cf553d056755df6af57f6117bd3237486c6478db.exe 86 PID 1200 wrote to memory of 1888 1200 1f2082894179434f7f9180d3cf553d056755df6af57f6117bd3237486c6478db.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f2082894179434f7f9180d3cf553d056755df6af57f6117bd3237486c6478db.exe"C:\Users\Admin\AppData\Local\Temp\1f2082894179434f7f9180d3cf553d056755df6af57f6117bd3237486c6478db.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDkyMTZGNDgtN0Q3Qi00MjA5LTkyRjMtNTNERjkzRkFGOEZDfSIgdXNlcmlkPSJ7OEVBNzM0NzItREIxQS00NDMwLUE1QkEtNDE3RUQzMjQ0QzU0fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7ODUyOTk5NTgtQjQ4Ny00RjE5LTk0Q0YtMzNFM0U2OTRERkY5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU1NzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODAxNjUyMzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTg4OTU1OTAzIi8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4976
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
626KB
MD5d8aec01ff14e3e7ad43a4b71e30482e4
SHA1e3015f56f17d845ec7eef11d41bbbc28cc16d096
SHA256da1d608be064555ab3d3d35e6db64527b8c44f3fa5ddd7c3ec723f80fc99736e
SHA512f5b2f4bda0cc13e1d1c541fb0caea14081ee4daffd497e31a3d4d55d5f9d85a61158b4891a6527efe623b2f32b697ac912320d9be5c0303812ca98dcc8866fcf
-
Filesize
1.2MB
MD52a03b08eba89b4d692752ee2501a3cd1
SHA10cf46736c4c12373645950f3942d73e853e3787b
SHA2561f2082894179434f7f9180d3cf553d056755df6af57f6117bd3237486c6478db
SHA512c94eff8f0d84fd7216771c90e1666cd69ad469d9749547dbe49dd641f3c52e4ebf42856d225743f2f95b589fb98437975cc553754f6b8f37460b16b18c7bffc0