Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
156s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02/10/2022, 09:09
Static task
static1
Behavioral task
behavioral1
Sample
20af80cbe3e6b1a932d1972fc392ed92562f7ea1bfafe27e0412d1341246389b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
20af80cbe3e6b1a932d1972fc392ed92562f7ea1bfafe27e0412d1341246389b.exe
Resource
win10v2004-20220812-en
General
-
Target
20af80cbe3e6b1a932d1972fc392ed92562f7ea1bfafe27e0412d1341246389b.exe
-
Size
43KB
-
MD5
70d5137805a18540bfeeb24ad3fc9e20
-
SHA1
9f08733199dd0a53f9bfb54c7e40b03fde3e1353
-
SHA256
20af80cbe3e6b1a932d1972fc392ed92562f7ea1bfafe27e0412d1341246389b
-
SHA512
e69f1926e172edb8fc72253fcddd595e63338cbdcf3dd705f2d14dec3170b2bf2767c83f97380b62b5104ca1b6fbe3d1e6db90280af443525a0cef6313f4a80b
-
SSDEEP
768:BjC4Fb8OPuF9SQoizcrq92T62cf501q6HIjHHUqvt21eNYL1EDeNXMw2HCCjPkax:fe2rVTILidgeQHCCrk
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 5020 adnaps.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 3040 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 20af80cbe3e6b1a932d1972fc392ed92562f7ea1bfafe27e0412d1341246389b.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\126d6664748f36dd8dda1ca4d9b4d720.exe adnaps.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\126d6664748f36dd8dda1ca4d9b4d720.exe adnaps.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\126d6664748f36dd8dda1ca4d9b4d720 = "\"C:\\Users\\Admin\\AppData\\Roaming\\adnaps.exe\" .." adnaps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\126d6664748f36dd8dda1ca4d9b4d720 = "\"C:\\Users\\Admin\\AppData\\Roaming\\adnaps.exe\" .." adnaps.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 5020 adnaps.exe 5020 adnaps.exe 5020 adnaps.exe 5020 adnaps.exe 5020 adnaps.exe 5020 adnaps.exe 5020 adnaps.exe 5020 adnaps.exe 5020 adnaps.exe 5020 adnaps.exe 5020 adnaps.exe 5020 adnaps.exe 5020 adnaps.exe 5020 adnaps.exe 5020 adnaps.exe 5020 adnaps.exe 5020 adnaps.exe 5020 adnaps.exe 5020 adnaps.exe 5020 adnaps.exe 5020 adnaps.exe 5020 adnaps.exe 5020 adnaps.exe 5020 adnaps.exe 5020 adnaps.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5020 adnaps.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2784 wrote to memory of 5020 2784 20af80cbe3e6b1a932d1972fc392ed92562f7ea1bfafe27e0412d1341246389b.exe 82 PID 2784 wrote to memory of 5020 2784 20af80cbe3e6b1a932d1972fc392ed92562f7ea1bfafe27e0412d1341246389b.exe 82 PID 2784 wrote to memory of 5020 2784 20af80cbe3e6b1a932d1972fc392ed92562f7ea1bfafe27e0412d1341246389b.exe 82 PID 5020 wrote to memory of 3040 5020 adnaps.exe 83 PID 5020 wrote to memory of 3040 5020 adnaps.exe 83 PID 5020 wrote to memory of 3040 5020 adnaps.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\20af80cbe3e6b1a932d1972fc392ed92562f7ea1bfafe27e0412d1341246389b.exe"C:\Users\Admin\AppData\Local\Temp\20af80cbe3e6b1a932d1972fc392ed92562f7ea1bfafe27e0412d1341246389b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Users\Admin\AppData\Roaming\adnaps.exe"C:\Users\Admin\AppData\Roaming\adnaps.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\adnaps.exe" "adnaps.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:3040
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD570d5137805a18540bfeeb24ad3fc9e20
SHA19f08733199dd0a53f9bfb54c7e40b03fde3e1353
SHA25620af80cbe3e6b1a932d1972fc392ed92562f7ea1bfafe27e0412d1341246389b
SHA512e69f1926e172edb8fc72253fcddd595e63338cbdcf3dd705f2d14dec3170b2bf2767c83f97380b62b5104ca1b6fbe3d1e6db90280af443525a0cef6313f4a80b
-
Filesize
43KB
MD570d5137805a18540bfeeb24ad3fc9e20
SHA19f08733199dd0a53f9bfb54c7e40b03fde3e1353
SHA25620af80cbe3e6b1a932d1972fc392ed92562f7ea1bfafe27e0412d1341246389b
SHA512e69f1926e172edb8fc72253fcddd595e63338cbdcf3dd705f2d14dec3170b2bf2767c83f97380b62b5104ca1b6fbe3d1e6db90280af443525a0cef6313f4a80b