Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2022, 23:30
Static task
static1
Behavioral task
behavioral1
Sample
7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe
Resource
win10v2004-20220812-en
General
-
Target
7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe
-
Size
452KB
-
MD5
6b2e05f5caa933b3baeb6c086fc1f91f
-
SHA1
450ef99d4fe7939583488f2a970eba59d6f936d3
-
SHA256
7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914
-
SHA512
640b5e2efe7c68e4f732331a840039b650a63faa5a1cc3d0414934be92f49cc9bc080792137bcb8af206c0dcf8c4d1f5d2031d82907fc523bcb93c388bb5cf94
-
SSDEEP
3072:1+kZqVeInSk82TfatZ9mD5fvNj6kECsjZ:1jaSk8iCtPmD5Hl6ysN
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 1608 winlogon.exe 232 winlogon.exe 4464 winlogon.exe 4564 winlogon.exe -
resource yara_rule behavioral2/memory/4368-134-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/4368-136-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/4368-137-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/4368-147-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/232-153-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/232-157-0x0000000000400000-0x000000000041C000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4932 set thread context of 4368 4932 7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe 85 PID 1608 set thread context of 232 1608 winlogon.exe 89 PID 232 set thread context of 4464 232 winlogon.exe 90 PID 232 set thread context of 4564 232 winlogon.exe 100 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 1216 4464 WerFault.exe 90 3068 4564 WerFault.exe 100 -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4368 7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe 232 winlogon.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 4932 wrote to memory of 2256 4932 7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe 84 PID 4932 wrote to memory of 2256 4932 7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe 84 PID 4932 wrote to memory of 2256 4932 7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe 84 PID 4932 wrote to memory of 4368 4932 7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe 85 PID 4932 wrote to memory of 4368 4932 7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe 85 PID 4932 wrote to memory of 4368 4932 7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe 85 PID 4932 wrote to memory of 4368 4932 7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe 85 PID 4932 wrote to memory of 4368 4932 7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe 85 PID 4932 wrote to memory of 4368 4932 7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe 85 PID 4932 wrote to memory of 4368 4932 7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe 85 PID 4932 wrote to memory of 4368 4932 7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe 85 PID 4368 wrote to memory of 1608 4368 7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe 87 PID 4368 wrote to memory of 1608 4368 7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe 87 PID 4368 wrote to memory of 1608 4368 7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe 87 PID 1608 wrote to memory of 2892 1608 winlogon.exe 88 PID 1608 wrote to memory of 2892 1608 winlogon.exe 88 PID 1608 wrote to memory of 2892 1608 winlogon.exe 88 PID 1608 wrote to memory of 232 1608 winlogon.exe 89 PID 1608 wrote to memory of 232 1608 winlogon.exe 89 PID 1608 wrote to memory of 232 1608 winlogon.exe 89 PID 1608 wrote to memory of 232 1608 winlogon.exe 89 PID 1608 wrote to memory of 232 1608 winlogon.exe 89 PID 1608 wrote to memory of 232 1608 winlogon.exe 89 PID 1608 wrote to memory of 232 1608 winlogon.exe 89 PID 1608 wrote to memory of 232 1608 winlogon.exe 89 PID 232 wrote to memory of 4464 232 winlogon.exe 90 PID 232 wrote to memory of 4464 232 winlogon.exe 90 PID 232 wrote to memory of 4464 232 winlogon.exe 90 PID 232 wrote to memory of 4464 232 winlogon.exe 90 PID 232 wrote to memory of 4464 232 winlogon.exe 90 PID 232 wrote to memory of 4464 232 winlogon.exe 90 PID 232 wrote to memory of 4464 232 winlogon.exe 90 PID 232 wrote to memory of 4464 232 winlogon.exe 90 PID 232 wrote to memory of 4564 232 winlogon.exe 100 PID 232 wrote to memory of 4564 232 winlogon.exe 100 PID 232 wrote to memory of 4564 232 winlogon.exe 100 PID 232 wrote to memory of 4564 232 winlogon.exe 100 PID 232 wrote to memory of 4564 232 winlogon.exe 100 PID 232 wrote to memory of 4564 232 winlogon.exe 100 PID 232 wrote to memory of 4564 232 winlogon.exe 100 PID 232 wrote to memory of 4564 232 winlogon.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe"C:\Users\Admin\AppData\Local\Temp\7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\\svchost.exe2⤵PID:2256
-
-
C:\Users\Admin\AppData\Local\Temp\7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\\svchost.exe4⤵PID:2892
-
-
C:\Users\Admin\E696D64614\winlogon.exe
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"5⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 126⤵
- Program crash
PID:1216
-
-
-
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"5⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 126⤵
- Program crash
PID:3068
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4464 -ip 44641⤵PID:1300
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4564 -ip 45641⤵PID:4636
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
452KB
MD56b2e05f5caa933b3baeb6c086fc1f91f
SHA1450ef99d4fe7939583488f2a970eba59d6f936d3
SHA2567be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914
SHA512640b5e2efe7c68e4f732331a840039b650a63faa5a1cc3d0414934be92f49cc9bc080792137bcb8af206c0dcf8c4d1f5d2031d82907fc523bcb93c388bb5cf94
-
Filesize
452KB
MD56b2e05f5caa933b3baeb6c086fc1f91f
SHA1450ef99d4fe7939583488f2a970eba59d6f936d3
SHA2567be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914
SHA512640b5e2efe7c68e4f732331a840039b650a63faa5a1cc3d0414934be92f49cc9bc080792137bcb8af206c0dcf8c4d1f5d2031d82907fc523bcb93c388bb5cf94
-
Filesize
452KB
MD56b2e05f5caa933b3baeb6c086fc1f91f
SHA1450ef99d4fe7939583488f2a970eba59d6f936d3
SHA2567be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914
SHA512640b5e2efe7c68e4f732331a840039b650a63faa5a1cc3d0414934be92f49cc9bc080792137bcb8af206c0dcf8c4d1f5d2031d82907fc523bcb93c388bb5cf94
-
Filesize
452KB
MD56b2e05f5caa933b3baeb6c086fc1f91f
SHA1450ef99d4fe7939583488f2a970eba59d6f936d3
SHA2567be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914
SHA512640b5e2efe7c68e4f732331a840039b650a63faa5a1cc3d0414934be92f49cc9bc080792137bcb8af206c0dcf8c4d1f5d2031d82907fc523bcb93c388bb5cf94
-
Filesize
452KB
MD56b2e05f5caa933b3baeb6c086fc1f91f
SHA1450ef99d4fe7939583488f2a970eba59d6f936d3
SHA2567be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914
SHA512640b5e2efe7c68e4f732331a840039b650a63faa5a1cc3d0414934be92f49cc9bc080792137bcb8af206c0dcf8c4d1f5d2031d82907fc523bcb93c388bb5cf94