Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
19/02/2022, 19:43
Static task
static1
Behavioral task
behavioral1
Sample
9c20edb0ce9bb354eaee4fa57761df5e491cbb942db2736da8ae7f6a30f6a950.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
9c20edb0ce9bb354eaee4fa57761df5e491cbb942db2736da8ae7f6a30f6a950.exe
Resource
win10v2004-en-20220113
General
-
Target
9c20edb0ce9bb354eaee4fa57761df5e491cbb942db2736da8ae7f6a30f6a950.exe
-
Size
28KB
-
MD5
38a6b865b53b8d4c7c6c84f9a7c00adb
-
SHA1
e00deec328dc0a592465d0625f1e7f0eeff22676
-
SHA256
9c20edb0ce9bb354eaee4fa57761df5e491cbb942db2736da8ae7f6a30f6a950
-
SHA512
393e2b5a92e6bffd114e7239f1bb44a41dc2bfcc80e585987cb350ae245adbabd4282152f04abdc0428b45e6d0c9ed50ff5d909625e2023343cf1e4efdbeb010
Malware Config
Signatures
-
Upatre
Upatre is a generic malware downloader.
-
Executes dropped EXE 1 IoCs
pid Process 2264 szgfw.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 9c20edb0ce9bb354eaee4fa57761df5e491cbb942db2736da8ae7f6a30f6a950.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeShutdownPrivilege 640 svchost.exe Token: SeCreatePagefilePrivilege 640 svchost.exe Token: SeShutdownPrivilege 640 svchost.exe Token: SeCreatePagefilePrivilege 640 svchost.exe Token: SeShutdownPrivilege 640 svchost.exe Token: SeCreatePagefilePrivilege 640 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1312 wrote to memory of 2264 1312 9c20edb0ce9bb354eaee4fa57761df5e491cbb942db2736da8ae7f6a30f6a950.exe 87 PID 1312 wrote to memory of 2264 1312 9c20edb0ce9bb354eaee4fa57761df5e491cbb942db2736da8ae7f6a30f6a950.exe 87 PID 1312 wrote to memory of 2264 1312 9c20edb0ce9bb354eaee4fa57761df5e491cbb942db2736da8ae7f6a30f6a950.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c20edb0ce9bb354eaee4fa57761df5e491cbb942db2736da8ae7f6a30f6a950.exe"C:\Users\Admin\AppData\Local\Temp\9c20edb0ce9bb354eaee4fa57761df5e491cbb942db2736da8ae7f6a30f6a950.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\szgfw.exe"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"2⤵
- Executes dropped EXE
PID:2264
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:640