Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2022, 02:38
Static task
static1
Behavioral task
behavioral1
Sample
bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe
Resource
win10v2004-20220901-en
General
-
Target
bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe
-
Size
84KB
-
MD5
f7a01298c1186af504e422504788d9cf
-
SHA1
899823d8b509a2b08993e6c8b29eef63d05d1992
-
SHA256
bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9
-
SHA512
7d4086d040db36cdbf253e89b48ce076fb8ff7004bf3c8eadbc835eeb38646055567702d607d654f02cc5fad3d4cc6e435424aa922654b9ede6f55ce75f9efb9
-
SSDEEP
1536:L2Ek2YwI+mwdQBGlF2e5kFWNTr1OVz+IHQV:LP1VFkoF2eC0Az+IH0
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/1396-135-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/1396-137-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/1396-138-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/1396-139-0x0000000000400000-0x000000000040F000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2160 set thread context of 1396 2160 bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe 1396 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2160 bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2160 wrote to memory of 1396 2160 bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe 84 PID 2160 wrote to memory of 1396 2160 bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe 84 PID 2160 wrote to memory of 1396 2160 bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe 84 PID 2160 wrote to memory of 1396 2160 bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe 84 PID 2160 wrote to memory of 1396 2160 bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe 84 PID 2160 wrote to memory of 1396 2160 bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe 84 PID 2160 wrote to memory of 1396 2160 bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe 84 PID 2160 wrote to memory of 1396 2160 bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe 84 PID 2160 wrote to memory of 4804 2160 bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe 85 PID 2160 wrote to memory of 4804 2160 bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe 85 PID 2160 wrote to memory of 4804 2160 bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe"C:\Users\Admin\AppData\Local\Temp\bdc1dd45cda5ceff4d0a62efd37a3cff70a5715eb44f6e4f5fa75e8f7571fba9.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1396
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a.bat" "2⤵PID:4804
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176B
MD5114fa56a27e1d62bcf7f5e53fe0a4b14
SHA1d80039195fc522cb90d40e213684f5ba9f72821f
SHA256fab65e28342bd6c887ac93f16372bc0719b61cfe28a2cd85edee4673d63324a4
SHA51223dbb4f4f33be60492d99c50a726a7f8173d414f7b1070d9dea75f577c4b6f870756b9260843eb247fe8939b06498dcacaaacd9b8c40fbe7d003fe1884eebee4