Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25/06/2022, 05:04
Static task
static1
Behavioral task
behavioral1
Sample
c4e8282ef48e91716ace408edc83347bbce4ed299abaeae7c4100a61402eaf68.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
c4e8282ef48e91716ace408edc83347bbce4ed299abaeae7c4100a61402eaf68.exe
Resource
win10v2004-20220414-en
General
-
Target
c4e8282ef48e91716ace408edc83347bbce4ed299abaeae7c4100a61402eaf68.exe
-
Size
129KB
-
MD5
67e323570213378a54e19b0ccdcf49f0
-
SHA1
e95460434d6de33361167b935ce56c05b85250b9
-
SHA256
c4e8282ef48e91716ace408edc83347bbce4ed299abaeae7c4100a61402eaf68
-
SHA512
96e8dbe1fd75fac932a40bcf6fe4864596170317e37d0e93ce17877d61430e97ff9b32a7d7a178d463fcff421147e3817506d839041a067721991f3aebd3e7e4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3768 ExportLibrarys.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation c4e8282ef48e91716ace408edc83347bbce4ed299abaeae7c4100a61402eaf68.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 3768 ExportLibrarys.exe 3768 ExportLibrarys.exe 3768 ExportLibrarys.exe 3768 ExportLibrarys.exe 3768 ExportLibrarys.exe 3768 ExportLibrarys.exe 3768 ExportLibrarys.exe 3768 ExportLibrarys.exe 3768 ExportLibrarys.exe 3768 ExportLibrarys.exe 3768 ExportLibrarys.exe 3768 ExportLibrarys.exe 3768 ExportLibrarys.exe 3768 ExportLibrarys.exe 3768 ExportLibrarys.exe 3768 ExportLibrarys.exe 3768 ExportLibrarys.exe 3768 ExportLibrarys.exe 3768 ExportLibrarys.exe 3768 ExportLibrarys.exe 3768 ExportLibrarys.exe 3768 ExportLibrarys.exe 3768 ExportLibrarys.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3768 ExportLibrarys.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 928 wrote to memory of 3768 928 c4e8282ef48e91716ace408edc83347bbce4ed299abaeae7c4100a61402eaf68.exe 82 PID 928 wrote to memory of 3768 928 c4e8282ef48e91716ace408edc83347bbce4ed299abaeae7c4100a61402eaf68.exe 82 PID 928 wrote to memory of 3768 928 c4e8282ef48e91716ace408edc83347bbce4ed299abaeae7c4100a61402eaf68.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4e8282ef48e91716ace408edc83347bbce4ed299abaeae7c4100a61402eaf68.exe"C:\Users\Admin\AppData\Local\Temp\c4e8282ef48e91716ace408edc83347bbce4ed299abaeae7c4100a61402eaf68.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Users\Admin\AppData\Local\XLoader-ExLibs\ExportLibrarys.exe"C:\Users\Admin\AppData\Local\XLoader-ExLibs\ExportLibrarys.exe" xrun2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3768
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129KB
MD567e323570213378a54e19b0ccdcf49f0
SHA1e95460434d6de33361167b935ce56c05b85250b9
SHA256c4e8282ef48e91716ace408edc83347bbce4ed299abaeae7c4100a61402eaf68
SHA51296e8dbe1fd75fac932a40bcf6fe4864596170317e37d0e93ce17877d61430e97ff9b32a7d7a178d463fcff421147e3817506d839041a067721991f3aebd3e7e4
-
Filesize
129KB
MD567e323570213378a54e19b0ccdcf49f0
SHA1e95460434d6de33361167b935ce56c05b85250b9
SHA256c4e8282ef48e91716ace408edc83347bbce4ed299abaeae7c4100a61402eaf68
SHA51296e8dbe1fd75fac932a40bcf6fe4864596170317e37d0e93ce17877d61430e97ff9b32a7d7a178d463fcff421147e3817506d839041a067721991f3aebd3e7e4