Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
72s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18/09/2022, 23:45
Static task
static1
Behavioral task
behavioral1
Sample
10d9739a98aff94460c59fc66b3d8d296933e03e6d98aab537d3d69c05d50088.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
10d9739a98aff94460c59fc66b3d8d296933e03e6d98aab537d3d69c05d50088.exe
Resource
win10v2004-20220812-en
General
-
Target
10d9739a98aff94460c59fc66b3d8d296933e03e6d98aab537d3d69c05d50088.exe
-
Size
521KB
-
MD5
b59017e1b2c478b22c7079e2881ce4a4
-
SHA1
5443180e24ed328182a435f95a919d2f4b8fcc24
-
SHA256
10d9739a98aff94460c59fc66b3d8d296933e03e6d98aab537d3d69c05d50088
-
SHA512
0e8333a43dfe346c4b5898dc9ae5b054b160b264e3fd8338cc010dd337549610ef9207d732d33177ca406420ecbae4b88bcf4dc47687721f6044516c59492559
-
SSDEEP
12288:tKFbvjITRVN6B5SFuf2es2TX1EDFzzvhE+XSIVmPI2cL:tPRD+Uz5E/Yn7
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 5068 meh.exe 4388 vbc.exe -
resource yara_rule behavioral2/memory/4388-141-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/4388-144-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/4388-148-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/4388-149-0x0000000000400000-0x0000000000459000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 10d9739a98aff94460c59fc66b3d8d296933e03e6d98aab537d3d69c05d50088.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5068 set thread context of 4388 5068 meh.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4388 vbc.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2380 wrote to memory of 5068 2380 10d9739a98aff94460c59fc66b3d8d296933e03e6d98aab537d3d69c05d50088.exe 83 PID 2380 wrote to memory of 5068 2380 10d9739a98aff94460c59fc66b3d8d296933e03e6d98aab537d3d69c05d50088.exe 83 PID 2380 wrote to memory of 5068 2380 10d9739a98aff94460c59fc66b3d8d296933e03e6d98aab537d3d69c05d50088.exe 83 PID 5068 wrote to memory of 4388 5068 meh.exe 84 PID 5068 wrote to memory of 4388 5068 meh.exe 84 PID 5068 wrote to memory of 4388 5068 meh.exe 84 PID 5068 wrote to memory of 4388 5068 meh.exe 84 PID 5068 wrote to memory of 4388 5068 meh.exe 84 PID 5068 wrote to memory of 4388 5068 meh.exe 84 PID 5068 wrote to memory of 4388 5068 meh.exe 84 PID 5068 wrote to memory of 4388 5068 meh.exe 84 PID 5068 wrote to memory of 4388 5068 meh.exe 84 PID 5068 wrote to memory of 4388 5068 meh.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\10d9739a98aff94460c59fc66b3d8d296933e03e6d98aab537d3d69c05d50088.exe"C:\Users\Admin\AppData\Local\Temp\10d9739a98aff94460c59fc66b3d8d296933e03e6d98aab537d3d69c05d50088.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\meh.exe"C:\Users\Admin\AppData\Local\Temp\meh.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Users\Admin\AppData\Local\Temp\vbc.exeC:\Users\Admin\AppData\Local\Temp\vbc.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4388
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD5fe40685e334fb812696f4bc50735e11f
SHA14ea50ab2fd1e7dcebc7c741503ab03d4e1c77173
SHA256a5e147de4abfc324fad4000d958f8ca848251339be66228303fe45852c4cd2d7
SHA512b4b0fb9b6a86d44b890d25a2e93bad3204c61169d59a05e1c016f80c3255775712fac7e479fc2c534a2b52b07fb3eb9ff20e50beff8847f3181a6e7ceb9c6d1c
-
Filesize
216KB
MD5fe40685e334fb812696f4bc50735e11f
SHA14ea50ab2fd1e7dcebc7c741503ab03d4e1c77173
SHA256a5e147de4abfc324fad4000d958f8ca848251339be66228303fe45852c4cd2d7
SHA512b4b0fb9b6a86d44b890d25a2e93bad3204c61169d59a05e1c016f80c3255775712fac7e479fc2c534a2b52b07fb3eb9ff20e50beff8847f3181a6e7ceb9c6d1c
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34