Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
116s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2022, 19:53
Static task
static1
Behavioral task
behavioral1
Sample
3c0a9947e72bb6c3965b7f5e556331667d95698e078faf6d07ac7994fdc7d047.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3c0a9947e72bb6c3965b7f5e556331667d95698e078faf6d07ac7994fdc7d047.exe
Resource
win10v2004-20220812-en
General
-
Target
3c0a9947e72bb6c3965b7f5e556331667d95698e078faf6d07ac7994fdc7d047.exe
-
Size
5.0MB
-
MD5
428effc51f7b673ed032ffebb0cae50b
-
SHA1
ac1a0f69f497547daf854a332a1f288ca295179a
-
SHA256
3c0a9947e72bb6c3965b7f5e556331667d95698e078faf6d07ac7994fdc7d047
-
SHA512
22138a15989a1d3c5e68dce31f85c79a36e8b631fb85609c424c359a9756914fb34da0f9db89c999b811957ecd17041b917720178565baea3f6f7af5ad9fb682
-
SSDEEP
98304:HKbs+KniHMDhTG8WKIgt8QJlx7K0DP5TgMNNcbrcW7YsAKo16gvJXUaS8zA:HKVSiOTG8pIgN7KwxRArc4YsAKDEdev
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4944 msisetup.exe 4936 msisetup.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 3c0a9947e72bb6c3965b7f5e556331667d95698e078faf6d07ac7994fdc7d047.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4944 set thread context of 4936 4944 msisetup.exe 83 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4936 msisetup.exe 4936 msisetup.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4944 msisetup.exe 4936 msisetup.exe 4936 msisetup.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 4684 wrote to memory of 4944 4684 3c0a9947e72bb6c3965b7f5e556331667d95698e078faf6d07ac7994fdc7d047.exe 82 PID 4684 wrote to memory of 4944 4684 3c0a9947e72bb6c3965b7f5e556331667d95698e078faf6d07ac7994fdc7d047.exe 82 PID 4684 wrote to memory of 4944 4684 3c0a9947e72bb6c3965b7f5e556331667d95698e078faf6d07ac7994fdc7d047.exe 82 PID 4944 wrote to memory of 4936 4944 msisetup.exe 83 PID 4944 wrote to memory of 4936 4944 msisetup.exe 83 PID 4944 wrote to memory of 4936 4944 msisetup.exe 83 PID 4944 wrote to memory of 4936 4944 msisetup.exe 83 PID 4944 wrote to memory of 4936 4944 msisetup.exe 83 PID 4944 wrote to memory of 4936 4944 msisetup.exe 83 PID 4944 wrote to memory of 4936 4944 msisetup.exe 83 PID 4944 wrote to memory of 4936 4944 msisetup.exe 83 PID 4944 wrote to memory of 4936 4944 msisetup.exe 83 PID 4944 wrote to memory of 4936 4944 msisetup.exe 83 PID 4944 wrote to memory of 4936 4944 msisetup.exe 83 PID 4944 wrote to memory of 4936 4944 msisetup.exe 83 PID 4944 wrote to memory of 4936 4944 msisetup.exe 83 PID 4944 wrote to memory of 4936 4944 msisetup.exe 83 PID 4944 wrote to memory of 4936 4944 msisetup.exe 83 PID 4944 wrote to memory of 4936 4944 msisetup.exe 83 PID 4944 wrote to memory of 4936 4944 msisetup.exe 83 PID 4936 wrote to memory of 3104 4936 msisetup.exe 84 PID 4936 wrote to memory of 3104 4936 msisetup.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c0a9947e72bb6c3965b7f5e556331667d95698e078faf6d07ac7994fdc7d047.exe"C:\Users\Admin\AppData\Local\Temp\3c0a9947e72bb6c3965b7f5e556331667d95698e078faf6d07ac7994fdc7d047.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msisetup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\msisetup.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msisetup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\msisetup.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122884⤵PID:3104
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:3768
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15.1MB
MD51e446eb62df775a6bced88d8027f4f35
SHA10055f2702e8806193717ecd73a665bead7d32a2b
SHA2566de7cc1f1e08bf52c5064e49fb85c2e74ff83d470d0a970b38c128cb01e1778d
SHA51231bd01b5fa9d903f1ce122826a8fb1927e67a380029f7b62c348812ce60744c006b08c2e4ebd024bd96a4454052e8d7a29f63a1529b215ded8d4a6eba9334efc
-
Filesize
15.1MB
MD51e446eb62df775a6bced88d8027f4f35
SHA10055f2702e8806193717ecd73a665bead7d32a2b
SHA2566de7cc1f1e08bf52c5064e49fb85c2e74ff83d470d0a970b38c128cb01e1778d
SHA51231bd01b5fa9d903f1ce122826a8fb1927e67a380029f7b62c348812ce60744c006b08c2e4ebd024bd96a4454052e8d7a29f63a1529b215ded8d4a6eba9334efc
-
Filesize
15.1MB
MD51e446eb62df775a6bced88d8027f4f35
SHA10055f2702e8806193717ecd73a665bead7d32a2b
SHA2566de7cc1f1e08bf52c5064e49fb85c2e74ff83d470d0a970b38c128cb01e1778d
SHA51231bd01b5fa9d903f1ce122826a8fb1927e67a380029f7b62c348812ce60744c006b08c2e4ebd024bd96a4454052e8d7a29f63a1529b215ded8d4a6eba9334efc