Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
124s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2022, 23:16
Static task
static1
Behavioral task
behavioral1
Sample
85d4bac27db252187b21a3c9995f60bdf2f401224abd3396fac187eae130a3df.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
85d4bac27db252187b21a3c9995f60bdf2f401224abd3396fac187eae130a3df.exe
Resource
win10v2004-20220812-en
General
-
Target
85d4bac27db252187b21a3c9995f60bdf2f401224abd3396fac187eae130a3df.exe
-
Size
1.1MB
-
MD5
40edff786a13bc885ce77a9dd62818e0
-
SHA1
8addc969511b6fc14c4e8a5290cf4d678109905b
-
SHA256
85d4bac27db252187b21a3c9995f60bdf2f401224abd3396fac187eae130a3df
-
SHA512
ddbb265596a84d2cebced3473513a309401f29712294713a2f114c00a903a0d5a4bbd9c1c7de3f26ffa30116719823060826ac6d2b64d1b9b5ff648a3752b21a
-
SSDEEP
24576:RWvknOMEfgOCK15JS02rfBvJneBrmWt8azQ6S+HkR6b9HsDZrD+M:RUeOMmBJSDrfBvJeBr0X+EcN0rD+M
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4232 Setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS Setup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\Setup.exe = "1" Setup.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN Setup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Setup.exe = "0" Setup.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND Setup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND\Setup.exe = "0" Setup.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5040 wrote to memory of 4232 5040 85d4bac27db252187b21a3c9995f60bdf2f401224abd3396fac187eae130a3df.exe 81 PID 5040 wrote to memory of 4232 5040 85d4bac27db252187b21a3c9995f60bdf2f401224abd3396fac187eae130a3df.exe 81 PID 5040 wrote to memory of 4232 5040 85d4bac27db252187b21a3c9995f60bdf2f401224abd3396fac187eae130a3df.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\85d4bac27db252187b21a3c9995f60bdf2f401224abd3396fac187eae130a3df.exe"C:\Users\Admin\AppData\Local\Temp\85d4bac27db252187b21a3c9995f60bdf2f401224abd3396fac187eae130a3df.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\a2aDbWHA8d\Mr3oaiCB\Setup.exeC:\Users\Admin\AppData\Local\Temp\a2aDbWHA8d\Mr3oaiCB\Setup.exe --relaunch2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
PID:4232
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD540edff786a13bc885ce77a9dd62818e0
SHA18addc969511b6fc14c4e8a5290cf4d678109905b
SHA25685d4bac27db252187b21a3c9995f60bdf2f401224abd3396fac187eae130a3df
SHA512ddbb265596a84d2cebced3473513a309401f29712294713a2f114c00a903a0d5a4bbd9c1c7de3f26ffa30116719823060826ac6d2b64d1b9b5ff648a3752b21a
-
Filesize
1.1MB
MD540edff786a13bc885ce77a9dd62818e0
SHA18addc969511b6fc14c4e8a5290cf4d678109905b
SHA25685d4bac27db252187b21a3c9995f60bdf2f401224abd3396fac187eae130a3df
SHA512ddbb265596a84d2cebced3473513a309401f29712294713a2f114c00a903a0d5a4bbd9c1c7de3f26ffa30116719823060826ac6d2b64d1b9b5ff648a3752b21a