Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

d611f6e0b6...94.exe

windows7-x64

10

d611f6e0b6...94.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    186s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/10/2022, 00:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d611f6e0b64547ac953189aac476717cb49fd097b139d1a905c03430f3315294.exe

  • Size

    520KB

  • MD5

    4bd214f6e1ec31266a50459fd7034fab

  • SHA1

    00ce038bfb49bb58c5545f445fa06929aa9ff22d

  • SHA256

    d611f6e0b64547ac953189aac476717cb49fd097b139d1a905c03430f3315294

  • SHA512

    9bd885a29d3564c4219f4e7b17e0f77dfb0c0a74954fc19f6cacd3ea44d504c01633ff32ed4588571f7af03cfc9ad5e2b3f6f1c53ba3999ba6acdf16864806ec

  • SSDEEP

    12288:jQ5GA6wigctwxaJOri8KuMhEAF/Lc0CTbkwnj3Zz:k5KwTIzJSPK/hHjXoBj3Zz

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 10 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Unexpected DNS network traffic destination 2 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 55 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    PID:600
    • C:\Users\Admin\AppData\Local\Temp\d611f6e0b64547ac953189aac476717cb49fd097b139d1a905c03430f3315294.exe
      "C:\Users\Admin\AppData\Local\Temp\d611f6e0b64547ac953189aac476717cb49fd097b139d1a905c03430f3315294.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:524
      • C:\Users\Admin\jdFfFL.exe
        C:\Users\Admin\jdFfFL.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Checks computer location settings
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4900
        • C:\Users\Admin\yuimiim.exe
          "C:\Users\Admin\yuimiim.exe"
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:1992
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del jdFfFL.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:5040
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            5⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:884
      • C:\Users\Admin\2sag.exe
        C:\Users\Admin\2sag.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5036
        • C:\Users\Admin\2sag.exe
          "C:\Users\Admin\2sag.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2992
        • C:\Users\Admin\2sag.exe
          "C:\Users\Admin\2sag.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:4120
        • C:\Users\Admin\2sag.exe
          "C:\Users\Admin\2sag.exe"
          4⤵
          • Executes dropped EXE
          • Maps connected drives based on registry
          • Suspicious behavior: EnumeratesProcesses
          PID:220
        • C:\Users\Admin\2sag.exe
          "C:\Users\Admin\2sag.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2228
        • C:\Users\Admin\2sag.exe
          "C:\Users\Admin\2sag.exe"
          4⤵
          • Executes dropped EXE
          PID:4352
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 80
            5⤵
            • Program crash
            PID:404
      • C:\Users\Admin\3sag.exe
        C:\Users\Admin\3sag.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3484
        • C:\Users\Admin\AppData\Local\2aebb42b\X
          *0*bc*94677c17*31.193.3.240:53
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:984
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del d611f6e0b64547ac953189aac476717cb49fd097b139d1a905c03430f3315294.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4736
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:4020
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4352 -ip 4352
    1⤵
      PID:4508

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\2sag.exe
      Filesize

      128KB

      MD5

      924fe045ea0c544f82d322b9e370da60

      SHA1

      68ef8b8426fc7f53318cfbf648803aec7429e352

      SHA256

      480074c9252e605d8d4f80f40cf9d5e50eec6ebe30f414694aaf6375f1884e6d

      SHA512

      0d29eb10e5a7ca297319943fc017790371f1ac6c419651a89822121c91dda7d137720a7d5d8ee67e0ec457e882b603dbfb9b4f8c755f43b58b1dce0c35490fa2

      Download Submit

    • C:\Users\Admin\2sag.exe
      Filesize

      128KB

      MD5

      924fe045ea0c544f82d322b9e370da60

      SHA1

      68ef8b8426fc7f53318cfbf648803aec7429e352

      SHA256

      480074c9252e605d8d4f80f40cf9d5e50eec6ebe30f414694aaf6375f1884e6d

      SHA512

      0d29eb10e5a7ca297319943fc017790371f1ac6c419651a89822121c91dda7d137720a7d5d8ee67e0ec457e882b603dbfb9b4f8c755f43b58b1dce0c35490fa2

      Download Submit

    • C:\Users\Admin\2sag.exe
      Filesize

      128KB

      MD5

      924fe045ea0c544f82d322b9e370da60

      SHA1

      68ef8b8426fc7f53318cfbf648803aec7429e352

      SHA256

      480074c9252e605d8d4f80f40cf9d5e50eec6ebe30f414694aaf6375f1884e6d

      SHA512

      0d29eb10e5a7ca297319943fc017790371f1ac6c419651a89822121c91dda7d137720a7d5d8ee67e0ec457e882b603dbfb9b4f8c755f43b58b1dce0c35490fa2

      Download Submit

    • C:\Users\Admin\2sag.exe
      Filesize

      128KB

      MD5

      924fe045ea0c544f82d322b9e370da60

      SHA1

      68ef8b8426fc7f53318cfbf648803aec7429e352

      SHA256

      480074c9252e605d8d4f80f40cf9d5e50eec6ebe30f414694aaf6375f1884e6d

      SHA512

      0d29eb10e5a7ca297319943fc017790371f1ac6c419651a89822121c91dda7d137720a7d5d8ee67e0ec457e882b603dbfb9b4f8c755f43b58b1dce0c35490fa2

      Download Submit

    • C:\Users\Admin\2sag.exe
      Filesize

      128KB

      MD5

      924fe045ea0c544f82d322b9e370da60

      SHA1

      68ef8b8426fc7f53318cfbf648803aec7429e352

      SHA256

      480074c9252e605d8d4f80f40cf9d5e50eec6ebe30f414694aaf6375f1884e6d

      SHA512

      0d29eb10e5a7ca297319943fc017790371f1ac6c419651a89822121c91dda7d137720a7d5d8ee67e0ec457e882b603dbfb9b4f8c755f43b58b1dce0c35490fa2

      Download Submit

    • C:\Users\Admin\2sag.exe
      Filesize

      128KB

      MD5

      924fe045ea0c544f82d322b9e370da60

      SHA1

      68ef8b8426fc7f53318cfbf648803aec7429e352

      SHA256

      480074c9252e605d8d4f80f40cf9d5e50eec6ebe30f414694aaf6375f1884e6d

      SHA512

      0d29eb10e5a7ca297319943fc017790371f1ac6c419651a89822121c91dda7d137720a7d5d8ee67e0ec457e882b603dbfb9b4f8c755f43b58b1dce0c35490fa2

      Download Submit

    • C:\Users\Admin\2sag.exe
      Filesize

      128KB

      MD5

      924fe045ea0c544f82d322b9e370da60

      SHA1

      68ef8b8426fc7f53318cfbf648803aec7429e352

      SHA256

      480074c9252e605d8d4f80f40cf9d5e50eec6ebe30f414694aaf6375f1884e6d

      SHA512

      0d29eb10e5a7ca297319943fc017790371f1ac6c419651a89822121c91dda7d137720a7d5d8ee67e0ec457e882b603dbfb9b4f8c755f43b58b1dce0c35490fa2

      Download Submit

    • C:\Users\Admin\3sag.exe
      Filesize

      279KB

      MD5

      bc605c3a569330b1b08106d694366d7c

      SHA1

      71ee2d38c8da32dea44ad2c254a1499b98333a92

      SHA256

      84205e9b8a9ed3bc40be0cb2fb17d8ab16de65c01c282bdb664846940749661d

      SHA512

      b70fc535e7638d326e852ab79e5d328d4c5f111b8a8af4b58da01754ecb77465f5c62c3f68c72573a1e4b6345393862f5e6e3b269754fe1feaf5ba8b86c17d4c

      Download Submit

    • C:\Users\Admin\3sag.exe
      Filesize

      279KB

      MD5

      bc605c3a569330b1b08106d694366d7c

      SHA1

      71ee2d38c8da32dea44ad2c254a1499b98333a92

      SHA256

      84205e9b8a9ed3bc40be0cb2fb17d8ab16de65c01c282bdb664846940749661d

      SHA512

      b70fc535e7638d326e852ab79e5d328d4c5f111b8a8af4b58da01754ecb77465f5c62c3f68c72573a1e4b6345393862f5e6e3b269754fe1feaf5ba8b86c17d4c

      Download Submit

    • C:\Users\Admin\AppData\Local\2aebb42b\X
      Filesize

      38KB

      MD5

      72de2dadaf875e2fd7614e100419033c

      SHA1

      5f17c5330e91a42daa9ff24c4aa602bd1a72bf6e

      SHA256

      c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381

      SHA512

      e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3

      Download Submit

    • C:\Users\Admin\AppData\Local\2aebb42b\X
      Filesize

      38KB

      MD5

      72de2dadaf875e2fd7614e100419033c

      SHA1

      5f17c5330e91a42daa9ff24c4aa602bd1a72bf6e

      SHA256

      c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381

      SHA512

      e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3

      Download Submit

    • C:\Users\Admin\jdFfFL.exe
      Filesize

      216KB

      MD5

      5a9281e62a888f4ea82402cec883292d

      SHA1

      b997d0f7f8aecd9730b03f5e5b6b63466890ae94

      SHA256

      cd3b178a6469ddb3bf95a7425a2dbf77a71cb83d813509dcbc2357263693cd23

      SHA512

      99f6248391a17417fe6ca166a72203e44e3ebd31d1fd25e5dc45513ebd7d974a73184854c79baaeba59becf702d3f248c33b69361d36f03647dce177c324678b

      Download Submit

    • C:\Users\Admin\jdFfFL.exe
      Filesize

      216KB

      MD5

      5a9281e62a888f4ea82402cec883292d

      SHA1

      b997d0f7f8aecd9730b03f5e5b6b63466890ae94

      SHA256

      cd3b178a6469ddb3bf95a7425a2dbf77a71cb83d813509dcbc2357263693cd23

      SHA512

      99f6248391a17417fe6ca166a72203e44e3ebd31d1fd25e5dc45513ebd7d974a73184854c79baaeba59becf702d3f248c33b69361d36f03647dce177c324678b

      Download Submit

    • C:\Users\Admin\yuimiim.exe
      Filesize

      216KB

      MD5

      e63d5be0198d6deb80e99a633fd69670

      SHA1

      0aaf258a32ede133db45f3c6e65fcb18f0df7993

      SHA256

      a73f286bcb3cf7ea69544592dfa668c93ca5e1663cd9f40fa6daa8b561a551f3

      SHA512

      48031d7001a66768ec936eccfab005c268624f620529575d7ca5c64dde3841f79782743a8d5829fad9c7af78aab8873ea0f65ad2bd2fa9f7505a008a4355b3a7

      Download Submit

    • C:\Users\Admin\yuimiim.exe
      Filesize

      216KB

      MD5

      e63d5be0198d6deb80e99a633fd69670

      SHA1

      0aaf258a32ede133db45f3c6e65fcb18f0df7993

      SHA256

      a73f286bcb3cf7ea69544592dfa668c93ca5e1663cd9f40fa6daa8b561a551f3

      SHA512

      48031d7001a66768ec936eccfab005c268624f620529575d7ca5c64dde3841f79782743a8d5829fad9c7af78aab8873ea0f65ad2bd2fa9f7505a008a4355b3a7

      Download Submit

    • memory/220-173-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/220-183-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/220-174-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/220-166-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/2228-184-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/2228-170-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/2228-175-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/2228-177-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/2992-156-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/2992-148-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/2992-188-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/2992-179-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/2992-154-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/3484-190-0x00000000009CE000-0x0000000000A04000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3484-189-0x0000000030670000-0x00000000306C2000-memory.dmp

      Filesize

      328KB

      Download

    • memory/3484-195-0x00000000009CE000-0x0000000000A04000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3484-194-0x0000000030670000-0x00000000306C2000-memory.dmp

      Filesize

      328KB

      Download

    • memory/4120-181-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4120-162-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4120-160-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4120-157-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download