Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    72s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/09/2022, 23:45

General

  • Target

    10d9739a98aff94460c59fc66b3d8d296933e03e6d98aab537d3d69c05d50088.exe

  • Size

    521KB

  • MD5

    b59017e1b2c478b22c7079e2881ce4a4

  • SHA1

    5443180e24ed328182a435f95a919d2f4b8fcc24

  • SHA256

    10d9739a98aff94460c59fc66b3d8d296933e03e6d98aab537d3d69c05d50088

  • SHA512

    0e8333a43dfe346c4b5898dc9ae5b054b160b264e3fd8338cc010dd337549610ef9207d732d33177ca406420ecbae4b88bcf4dc47687721f6044516c59492559

  • SSDEEP

    12288:tKFbvjITRVN6B5SFuf2es2TX1EDFzzvhE+XSIVmPI2cL:tPRD+Uz5E/Yn7

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\10d9739a98aff94460c59fc66b3d8d296933e03e6d98aab537d3d69c05d50088.exe
    "C:\Users\Admin\AppData\Local\Temp\10d9739a98aff94460c59fc66b3d8d296933e03e6d98aab537d3d69c05d50088.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Users\Admin\AppData\Local\Temp\meh.exe
      "C:\Users\Admin\AppData\Local\Temp\meh.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:5068
      • C:\Users\Admin\AppData\Local\Temp\vbc.exe
        C:\Users\Admin\AppData\Local\Temp\vbc.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4388

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\meh.exe

    Filesize

    216KB

    MD5

    fe40685e334fb812696f4bc50735e11f

    SHA1

    4ea50ab2fd1e7dcebc7c741503ab03d4e1c77173

    SHA256

    a5e147de4abfc324fad4000d958f8ca848251339be66228303fe45852c4cd2d7

    SHA512

    b4b0fb9b6a86d44b890d25a2e93bad3204c61169d59a05e1c016f80c3255775712fac7e479fc2c534a2b52b07fb3eb9ff20e50beff8847f3181a6e7ceb9c6d1c

  • C:\Users\Admin\AppData\Local\Temp\meh.exe

    Filesize

    216KB

    MD5

    fe40685e334fb812696f4bc50735e11f

    SHA1

    4ea50ab2fd1e7dcebc7c741503ab03d4e1c77173

    SHA256

    a5e147de4abfc324fad4000d958f8ca848251339be66228303fe45852c4cd2d7

    SHA512

    b4b0fb9b6a86d44b890d25a2e93bad3204c61169d59a05e1c016f80c3255775712fac7e479fc2c534a2b52b07fb3eb9ff20e50beff8847f3181a6e7ceb9c6d1c

  • C:\Users\Admin\AppData\Local\Temp\vbc.exe

    Filesize

    1.1MB

    MD5

    d881de17aa8f2e2c08cbb7b265f928f9

    SHA1

    08936aebc87decf0af6e8eada191062b5e65ac2a

    SHA256

    b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

    SHA512

    5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

  • memory/2380-135-0x00007FFB3BBF0000-0x00007FFB3C626000-memory.dmp

    Filesize

    10.2MB

  • memory/4388-141-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

  • memory/4388-144-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

  • memory/4388-148-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

  • memory/4388-149-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

  • memory/5068-139-0x0000000074E50000-0x0000000075401000-memory.dmp

    Filesize

    5.7MB

  • memory/5068-146-0x0000000074E50000-0x0000000075401000-memory.dmp

    Filesize

    5.7MB