Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6b2d58563e...8c.exe

windows7-x64

10

6b2d58563e...8c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2022, 00:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6b2d58563e9a4883f39cb956c8da7e49792f95139341670120927e214b30ca8c.exe

  • Size

    228KB

  • MD5

    b0235a2f84837f6ac43b99d2fd6c5aa7

  • SHA1

    74e0921f66295dfaa34e1e1361f016f74f108720

  • SHA256

    6b2d58563e9a4883f39cb956c8da7e49792f95139341670120927e214b30ca8c

  • SHA512

    21ef037163edc64f5ade95e42261351170f229c6a4bc756589d64abd1eb9b6aec52a167884bbca828f10d6a8879b4d6ba08507a2c7a88d6b6ee10000365b986d

  • SSDEEP

    6144:LKcBM3dwqsNy5ibpNjl4EqxF6snji81RUinKIC5j:Gc0dQxlV

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b2d58563e9a4883f39cb956c8da7e49792f95139341670120927e214b30ca8c.exe
    "C:\Users\Admin\AppData\Local\Temp\6b2d58563e9a4883f39cb956c8da7e49792f95139341670120927e214b30ca8c.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Users\Admin\vgfeuk.exe
      "C:\Users\Admin\vgfeuk.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1680

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\vgfeuk.exe
    Filesize

    228KB

    MD5

    a1ead67944d8604476ce71d706f0e6bf

    SHA1

    d523d3e5edb181df3719805fbc805c9543cffadd

    SHA256

    38bc499c1d4b0aa84c83640c033d0cb370328a75931c8f61908ac0edb35bb927

    SHA512

    b354140ec84120d9be8ad2ba342bce7cd29019e3f9b97de7ceb11004121d3cb5057728aa6857d9caa06e302012b12281fbfbe23cbe8a4729e924ac5531bd99d0

    Download Submit

  • C:\Users\Admin\vgfeuk.exe
    Filesize

    228KB

    MD5

    a1ead67944d8604476ce71d706f0e6bf

    SHA1

    d523d3e5edb181df3719805fbc805c9543cffadd

    SHA256

    38bc499c1d4b0aa84c83640c033d0cb370328a75931c8f61908ac0edb35bb927

    SHA512

    b354140ec84120d9be8ad2ba342bce7cd29019e3f9b97de7ceb11004121d3cb5057728aa6857d9caa06e302012b12281fbfbe23cbe8a4729e924ac5531bd99d0

    Download Submit