Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
155s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02/10/2022, 10:11
Static task
static1
Behavioral task
behavioral1
Sample
3c5f8cb08c9304a4926891598e294dbdb403b30102079b324aeb2a98a5297383.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3c5f8cb08c9304a4926891598e294dbdb403b30102079b324aeb2a98a5297383.exe
Resource
win10v2004-20220812-en
General
-
Target
3c5f8cb08c9304a4926891598e294dbdb403b30102079b324aeb2a98a5297383.exe
-
Size
193KB
-
MD5
67af7bfc251b66e12da5d08a1e45fba0
-
SHA1
67b7a665847884f855321b33136052bdc9fc4b72
-
SHA256
3c5f8cb08c9304a4926891598e294dbdb403b30102079b324aeb2a98a5297383
-
SHA512
a7e62bd841be84f4f66a3e99a7191ffa554c6ba488b895f3e23d04c11da9128650cf142589a98fc6ae51fd22ae4c6807bf3e538797271e0ecb755e98e8fd52fb
-
SSDEEP
3072:YNObDvd2vvqgZ9nhEDAVIonwz8WNvjQH2vOBkvuHozZhDHKW4d6Enial0WRBAgVI:YBvvqgZ9nh2jQH2WBSURzlBjI
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3552 yahoo.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 1576 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 3c5f8cb08c9304a4926891598e294dbdb403b30102079b324aeb2a98a5297383.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f82f07d693f4fdc41f8dd7242df85d3f = "\"C:\\ProgramData\\yahoo.exe\" .." yahoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\f82f07d693f4fdc41f8dd7242df85d3f = "\"C:\\ProgramData\\yahoo.exe\" .." yahoo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 3552 yahoo.exe Token: 33 3552 yahoo.exe Token: SeIncBasePriorityPrivilege 3552 yahoo.exe Token: 33 3552 yahoo.exe Token: SeIncBasePriorityPrivilege 3552 yahoo.exe Token: 33 3552 yahoo.exe Token: SeIncBasePriorityPrivilege 3552 yahoo.exe Token: 33 3552 yahoo.exe Token: SeIncBasePriorityPrivilege 3552 yahoo.exe Token: 33 3552 yahoo.exe Token: SeIncBasePriorityPrivilege 3552 yahoo.exe Token: 33 3552 yahoo.exe Token: SeIncBasePriorityPrivilege 3552 yahoo.exe Token: 33 3552 yahoo.exe Token: SeIncBasePriorityPrivilege 3552 yahoo.exe Token: 33 3552 yahoo.exe Token: SeIncBasePriorityPrivilege 3552 yahoo.exe Token: 33 3552 yahoo.exe Token: SeIncBasePriorityPrivilege 3552 yahoo.exe Token: 33 3552 yahoo.exe Token: SeIncBasePriorityPrivilege 3552 yahoo.exe Token: 33 3552 yahoo.exe Token: SeIncBasePriorityPrivilege 3552 yahoo.exe Token: 33 3552 yahoo.exe Token: SeIncBasePriorityPrivilege 3552 yahoo.exe Token: 33 3552 yahoo.exe Token: SeIncBasePriorityPrivilege 3552 yahoo.exe Token: 33 3552 yahoo.exe Token: SeIncBasePriorityPrivilege 3552 yahoo.exe Token: 33 3552 yahoo.exe Token: SeIncBasePriorityPrivilege 3552 yahoo.exe Token: 33 3552 yahoo.exe Token: SeIncBasePriorityPrivilege 3552 yahoo.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4936 wrote to memory of 3552 4936 3c5f8cb08c9304a4926891598e294dbdb403b30102079b324aeb2a98a5297383.exe 83 PID 4936 wrote to memory of 3552 4936 3c5f8cb08c9304a4926891598e294dbdb403b30102079b324aeb2a98a5297383.exe 83 PID 4936 wrote to memory of 3552 4936 3c5f8cb08c9304a4926891598e294dbdb403b30102079b324aeb2a98a5297383.exe 83 PID 3552 wrote to memory of 1576 3552 yahoo.exe 87 PID 3552 wrote to memory of 1576 3552 yahoo.exe 87 PID 3552 wrote to memory of 1576 3552 yahoo.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c5f8cb08c9304a4926891598e294dbdb403b30102079b324aeb2a98a5297383.exe"C:\Users\Admin\AppData\Local\Temp\3c5f8cb08c9304a4926891598e294dbdb403b30102079b324aeb2a98a5297383.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\ProgramData\yahoo.exe"C:\ProgramData\yahoo.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\ProgramData\yahoo.exe" "yahoo.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1576
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
193KB
MD567af7bfc251b66e12da5d08a1e45fba0
SHA167b7a665847884f855321b33136052bdc9fc4b72
SHA2563c5f8cb08c9304a4926891598e294dbdb403b30102079b324aeb2a98a5297383
SHA512a7e62bd841be84f4f66a3e99a7191ffa554c6ba488b895f3e23d04c11da9128650cf142589a98fc6ae51fd22ae4c6807bf3e538797271e0ecb755e98e8fd52fb
-
Filesize
193KB
MD567af7bfc251b66e12da5d08a1e45fba0
SHA167b7a665847884f855321b33136052bdc9fc4b72
SHA2563c5f8cb08c9304a4926891598e294dbdb403b30102079b324aeb2a98a5297383
SHA512a7e62bd841be84f4f66a3e99a7191ffa554c6ba488b895f3e23d04c11da9128650cf142589a98fc6ae51fd22ae4c6807bf3e538797271e0ecb755e98e8fd52fb