Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2022, 02:59

General

  • Target

    358cde8d93948908b90963691a673e91e870ba68fbf52d461b97c36b1816be07.exe

  • Size

    384KB

  • MD5

    6aa10c7a5d6aecb4dfd09647f553dc62

  • SHA1

    798215e3f05eb7dda8dd0ec813681c176a0a9265

  • SHA256

    358cde8d93948908b90963691a673e91e870ba68fbf52d461b97c36b1816be07

  • SHA512

    e212180568baeceda2181f506705a65f255736956cc26e1d80c224e7788b9cc1540943adbb2608ccfd99d7432e7d1d6a53c8dd81d26e949177caeb9b6c7641b9

  • SSDEEP

    6144:4JGK2pYLlY4c6ue7lfhTuJZrM4l8KONb6/SPcGHciKjyISzTOILNhWOmzTTKWiYy:EGK2pYLlY4c6ue7lfhTuJZrM4l8KONbq

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 6 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 55 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\358cde8d93948908b90963691a673e91e870ba68fbf52d461b97c36b1816be07.exe
    "C:\Users\Admin\AppData\Local\Temp\358cde8d93948908b90963691a673e91e870ba68fbf52d461b97c36b1816be07.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5040
    • C:\Users\Admin\yY6uXQd3.exe
      C:\Users\Admin\yY6uXQd3.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Users\Admin\ygheoj.exe
        "C:\Users\Admin\ygheoj.exe"
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3756
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del yY6uXQd3.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4848
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:4584
    • C:\Users\Admin\2cmd.exe
      C:\Users\Admin\2cmd.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3800
      • C:\Users\Admin\2cmd.exe
        "C:\Users\Admin\2cmd.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3772
    • C:\Users\Admin\3cmd.exe
      C:\Users\Admin\3cmd.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5112
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
          PID:3524
      • C:\Users\Admin\4cmd.exe
        C:\Users\Admin\4cmd.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:644
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del 358cde8d93948908b90963691a673e91e870ba68fbf52d461b97c36b1816be07.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5108
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2972

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\2cmd.exe

      Filesize

      68KB

      MD5

      3a0c1cfad2607489a7b81afeadb1c8de

      SHA1

      505930aa4aacad8743768c73c9d56b7896277cd8

      SHA256

      d0115953a9086756f4c8fc090765ffc6eb842d2addb5faac7eb4b10f5422d701

      SHA512

      277c586dc9d11c3e6f899dd26cc18947051f9f3589bbfcb80e9f0d35296849fc610feb5ad2d43a0d0ad17e9aa0c1a147903c355b9e1cfc6514def04bf0f8672b

    • C:\Users\Admin\2cmd.exe

      Filesize

      68KB

      MD5

      3a0c1cfad2607489a7b81afeadb1c8de

      SHA1

      505930aa4aacad8743768c73c9d56b7896277cd8

      SHA256

      d0115953a9086756f4c8fc090765ffc6eb842d2addb5faac7eb4b10f5422d701

      SHA512

      277c586dc9d11c3e6f899dd26cc18947051f9f3589bbfcb80e9f0d35296849fc610feb5ad2d43a0d0ad17e9aa0c1a147903c355b9e1cfc6514def04bf0f8672b

    • C:\Users\Admin\2cmd.exe

      Filesize

      68KB

      MD5

      3a0c1cfad2607489a7b81afeadb1c8de

      SHA1

      505930aa4aacad8743768c73c9d56b7896277cd8

      SHA256

      d0115953a9086756f4c8fc090765ffc6eb842d2addb5faac7eb4b10f5422d701

      SHA512

      277c586dc9d11c3e6f899dd26cc18947051f9f3589bbfcb80e9f0d35296849fc610feb5ad2d43a0d0ad17e9aa0c1a147903c355b9e1cfc6514def04bf0f8672b

    • C:\Users\Admin\3cmd.exe

      Filesize

      204KB

      MD5

      22d9cb396127839a597009a5c0d2092c

      SHA1

      c854e7c3954516ccb0f5aa8f96efb61fa0ca47c0

      SHA256

      81c1c53b6f97ff69a0762b45c123160b43c301c6b8ff5a996db20c22deb66660

      SHA512

      f0020266bd408ad8617e2a56ac21379907ec48384d9ddcd95d5602f58eac2e304d55eb5844e0062747ea8cb8b3f58d7fc44120d9e358a7b1bffa63e31362531a

    • C:\Users\Admin\3cmd.exe

      Filesize

      204KB

      MD5

      22d9cb396127839a597009a5c0d2092c

      SHA1

      c854e7c3954516ccb0f5aa8f96efb61fa0ca47c0

      SHA256

      81c1c53b6f97ff69a0762b45c123160b43c301c6b8ff5a996db20c22deb66660

      SHA512

      f0020266bd408ad8617e2a56ac21379907ec48384d9ddcd95d5602f58eac2e304d55eb5844e0062747ea8cb8b3f58d7fc44120d9e358a7b1bffa63e31362531a

    • C:\Users\Admin\4cmd.exe

      Filesize

      36KB

      MD5

      06267a936e89e44812691c5ee418e214

      SHA1

      7a7f7fde8da51c6f8e077650f4718cfc84bb0eca

      SHA256

      c8818d1fae7fa653031cbd2dde9355085c1ece748508c6b294ad7567759d7ab2

      SHA512

      e85fa457dbb6b2fddc43d597697f9c88e20569201e383b6a1fb70c9fd2a69266be56b90a2766bcfb13d0a06adf2cf3353daa81f865442173d55d690b904ba506

    • C:\Users\Admin\4cmd.exe

      Filesize

      36KB

      MD5

      06267a936e89e44812691c5ee418e214

      SHA1

      7a7f7fde8da51c6f8e077650f4718cfc84bb0eca

      SHA256

      c8818d1fae7fa653031cbd2dde9355085c1ece748508c6b294ad7567759d7ab2

      SHA512

      e85fa457dbb6b2fddc43d597697f9c88e20569201e383b6a1fb70c9fd2a69266be56b90a2766bcfb13d0a06adf2cf3353daa81f865442173d55d690b904ba506

    • C:\Users\Admin\yY6uXQd3.exe

      Filesize

      264KB

      MD5

      490d9698c1890b9b4e1c62dd277c2ddb

      SHA1

      635866f95d176fa2567eb47f078d9a618a9ceb6a

      SHA256

      9ca36f2be3faf01aa4ebe57f90106ab517c757b505de69b3b5d8016ae11dc116

      SHA512

      3fd9745bee17f284e1cf693e538c81b71478432d0a3980dcdec5b15502f63eed072002c7ad10598778ccb1287549b5b3ae18a9070f1d3b7c077bf87bc616ff45

    • C:\Users\Admin\yY6uXQd3.exe

      Filesize

      264KB

      MD5

      490d9698c1890b9b4e1c62dd277c2ddb

      SHA1

      635866f95d176fa2567eb47f078d9a618a9ceb6a

      SHA256

      9ca36f2be3faf01aa4ebe57f90106ab517c757b505de69b3b5d8016ae11dc116

      SHA512

      3fd9745bee17f284e1cf693e538c81b71478432d0a3980dcdec5b15502f63eed072002c7ad10598778ccb1287549b5b3ae18a9070f1d3b7c077bf87bc616ff45

    • C:\Users\Admin\ygheoj.exe

      Filesize

      264KB

      MD5

      6d0c0eb8318fbb588ef5778206342a80

      SHA1

      648bc9b88a3e5c2823bf141d20d2981704bccca7

      SHA256

      7ea9c150d4c4f76e6f67987a8e08aff13fbc0ad14207d72c64a666ca1c286f9e

      SHA512

      8b4016c66ae0493e646a94dc652d218d5d5ad18f4d51cb1e27614d1a7d875f99c51ad7cb0adf4ab4150bd75150a57ee99d5c6087476ca6cafd4e68a0a277310b

    • C:\Users\Admin\ygheoj.exe

      Filesize

      264KB

      MD5

      6d0c0eb8318fbb588ef5778206342a80

      SHA1

      648bc9b88a3e5c2823bf141d20d2981704bccca7

      SHA256

      7ea9c150d4c4f76e6f67987a8e08aff13fbc0ad14207d72c64a666ca1c286f9e

      SHA512

      8b4016c66ae0493e646a94dc652d218d5d5ad18f4d51cb1e27614d1a7d875f99c51ad7cb0adf4ab4150bd75150a57ee99d5c6087476ca6cafd4e68a0a277310b

    • memory/3772-149-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/3772-148-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/3772-145-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/3772-161-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/5112-165-0x0000000030670000-0x00000000306A3000-memory.dmp

      Filesize

      204KB

    • memory/5112-163-0x0000000030670000-0x00000000306A3000-memory.dmp

      Filesize

      204KB

    • memory/5112-162-0x0000000000440000-0x000000000046A000-memory.dmp

      Filesize

      168KB

    • memory/5112-160-0x0000000030670000-0x00000000306A3000-memory.dmp

      Filesize

      204KB