Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
62s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
22/09/2022, 04:18
Static task
static1
Behavioral task
behavioral1
Sample
DRAFT.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
DRAFT.exe
Resource
win10v2004-20220812-en
General
-
Target
DRAFT.exe
-
Size
859KB
-
MD5
eeef1bb50b50ea56de000b58d5d1af23
-
SHA1
913f174bbe99536c02b13b814aece6618dd44d88
-
SHA256
c8e6840e3aa32b2f68c912e0cd09d6956863418a7bb5cd552dc2fde563d53327
-
SHA512
4845b3e98c4ab85ec65da6219464057bcd6fc3bfa0ae3f460c81c9d5bf93586f118deb433369779a3782deea9a34406830d2a7932e120b54087228ee4bf7f4bd
-
SSDEEP
12288:32wnbnku/zUCyxjiurvwqFrl/FeYnjSScwGlW0b:3JnTkyy2urJFJ3jJ7g
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation DRAFT.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2424 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2268 DRAFT.exe 2268 DRAFT.exe 2268 DRAFT.exe 2268 DRAFT.exe 2268 DRAFT.exe 2268 DRAFT.exe 2268 DRAFT.exe 2268 DRAFT.exe 3412 powershell.exe 2268 DRAFT.exe 2268 DRAFT.exe 2268 DRAFT.exe 3412 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2268 DRAFT.exe Token: SeDebugPrivilege 3412 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2268 wrote to memory of 3412 2268 DRAFT.exe 90 PID 2268 wrote to memory of 3412 2268 DRAFT.exe 90 PID 2268 wrote to memory of 3412 2268 DRAFT.exe 90 PID 2268 wrote to memory of 2424 2268 DRAFT.exe 92 PID 2268 wrote to memory of 2424 2268 DRAFT.exe 92 PID 2268 wrote to memory of 2424 2268 DRAFT.exe 92 PID 2268 wrote to memory of 4184 2268 DRAFT.exe 94 PID 2268 wrote to memory of 4184 2268 DRAFT.exe 94 PID 2268 wrote to memory of 4184 2268 DRAFT.exe 94 PID 2268 wrote to memory of 1464 2268 DRAFT.exe 95 PID 2268 wrote to memory of 1464 2268 DRAFT.exe 95 PID 2268 wrote to memory of 1464 2268 DRAFT.exe 95 PID 2268 wrote to memory of 3760 2268 DRAFT.exe 96 PID 2268 wrote to memory of 3760 2268 DRAFT.exe 96 PID 2268 wrote to memory of 3760 2268 DRAFT.exe 96 PID 2268 wrote to memory of 2796 2268 DRAFT.exe 97 PID 2268 wrote to memory of 2796 2268 DRAFT.exe 97 PID 2268 wrote to memory of 2796 2268 DRAFT.exe 97 PID 2268 wrote to memory of 1716 2268 DRAFT.exe 98 PID 2268 wrote to memory of 1716 2268 DRAFT.exe 98 PID 2268 wrote to memory of 1716 2268 DRAFT.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\DRAFT.exe"C:\Users\Admin\AppData\Local\Temp\DRAFT.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\VJZbyPULlZx.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3412
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VJZbyPULlZx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4074.tmp"2⤵
- Creates scheduled task(s)
PID:2424
-
-
C:\Users\Admin\AppData\Local\Temp\DRAFT.exe"C:\Users\Admin\AppData\Local\Temp\DRAFT.exe"2⤵PID:4184
-
-
C:\Users\Admin\AppData\Local\Temp\DRAFT.exe"C:\Users\Admin\AppData\Local\Temp\DRAFT.exe"2⤵PID:1464
-
-
C:\Users\Admin\AppData\Local\Temp\DRAFT.exe"C:\Users\Admin\AppData\Local\Temp\DRAFT.exe"2⤵PID:3760
-
-
C:\Users\Admin\AppData\Local\Temp\DRAFT.exe"C:\Users\Admin\AppData\Local\Temp\DRAFT.exe"2⤵PID:2796
-
-
C:\Users\Admin\AppData\Local\Temp\DRAFT.exe"C:\Users\Admin\AppData\Local\Temp\DRAFT.exe"2⤵PID:1716
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58c536c3faa3059aa6facd38d196029bd
SHA1747cabe84b08ad8d7cf749364236a0f89a05c010
SHA2563b5c43ea049abb4ea39211efb889efc67a05598932915bc9488fcce70b28ff40
SHA5121b63efb366bedc2c2933aaced6cfd6b2b81d0ff7050025f6cbbec3d1de8b0689ab77a60f05a5d4fc342d8ce2ba553d01be688bd7f979062e9b88a7b6fdc3cc71