Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    184s
  • max time network
    192s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    11/02/2022, 06:54

General

  • Target

    570bdefc9c230fa190c9c16763c65ca7b3c488b4941919df6b356c85e8d4e8fc.exe

  • Size

    55KB

  • MD5

    edfbee8bcd1f618f35c1521e127cb9bf

  • SHA1

    d7fb17f6a391d32def76af948f76d78303cf7d79

  • SHA256

    570bdefc9c230fa190c9c16763c65ca7b3c488b4941919df6b356c85e8d4e8fc

  • SHA512

    304aae85700d59dc56b407ea39d067311d48c4789a3dea190890dd210cd10009d4d2527e590caba60a6508d96cc02cac1d8543441a1db77dada2b8881da017ab

Malware Config

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 9 IoCs
  • Drops file in Windows directory 6 IoCs
  • Program crash 1 IoCs
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 1 IoCs
  • Modifies registry class 30 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\570bdefc9c230fa190c9c16763c65ca7b3c488b4941919df6b356c85e8d4e8fc.exe
    "C:\Users\Admin\AppData\Local\Temp\570bdefc9c230fa190c9c16763c65ca7b3c488b4941919df6b356c85e8d4e8fc.exe"
    1⤵
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    PID:4492
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3348
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2368
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2368 -s 4384
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      PID:4760
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
    1⤵
    • Modifies data under HKEY_USERS
    PID:2972
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
    1⤵
      PID:2180
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 408 -p 2368 -ip 2368
      1⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Suspicious use of WriteProcessMemory
      PID:3764

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2972-135-0x000001EF30EC0000-0x000001EF30EC4000-memory.dmp

      Filesize

      16KB

    • memory/3348-130-0x000001AB0E220000-0x000001AB0E230000-memory.dmp

      Filesize

      64KB

    • memory/3348-131-0x000001AB0E280000-0x000001AB0E290000-memory.dmp

      Filesize

      64KB

    • memory/3348-132-0x000001AB10940000-0x000001AB10944000-memory.dmp

      Filesize

      16KB