Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    180s
  • max time network
    188s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2022, 08:17

General

  • Target

    370d2fb999efc14ec741ed52fdf56a993726862bbb06c099773a5dc09d062f89.exe

  • Size

    127KB

  • MD5

    014d1a783d28a633bd596585e85c6eaa

  • SHA1

    c8091d110bd978dd4cd120e9a8e6a36090bc8fb3

  • SHA256

    370d2fb999efc14ec741ed52fdf56a993726862bbb06c099773a5dc09d062f89

  • SHA512

    cec5803170e5b2da001eba689648c8cc0b27508f80ca5834a34054cc8364ffca8c2b7e5cd1b60298f8b574eb14f94c83218a97406250563e590f46d018b3aaf5

  • SSDEEP

    3072:YYe5uwx7W/a7ju63Lq1OsYGSjf9jKj0Zy+VIP2jwSoSLk61PjqrSMAVuVH6qJn6Q:YL5VI/a7nOn7j7T

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\370d2fb999efc14ec741ed52fdf56a993726862bbb06c099773a5dc09d062f89.exe
    "C:\Users\Admin\AppData\Local\Temp\370d2fb999efc14ec741ed52fdf56a993726862bbb06c099773a5dc09d062f89.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Users\Admin\daiifem.exe
      "C:\Users\Admin\daiifem.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4980

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\daiifem.exe

    Filesize

    127KB

    MD5

    69657ae267322053752471ccc061f9b3

    SHA1

    41363021a481ab9350d70cbe7ea57d98094f5b36

    SHA256

    87c1b4725955e1416d50a66b37aafaf83c7b134fb124595727786f136d37f4ad

    SHA512

    5c9dfb7da3764c50bc28b6c1cc48e5d6f4c6511ca6845bf8e65e2389cf50faa5fc6b6c3b92370a5336cc23062a3ee17897533f0f0fbef6bc6c5e38342c46245a

  • C:\Users\Admin\daiifem.exe

    Filesize

    127KB

    MD5

    69657ae267322053752471ccc061f9b3

    SHA1

    41363021a481ab9350d70cbe7ea57d98094f5b36

    SHA256

    87c1b4725955e1416d50a66b37aafaf83c7b134fb124595727786f136d37f4ad

    SHA512

    5c9dfb7da3764c50bc28b6c1cc48e5d6f4c6511ca6845bf8e65e2389cf50faa5fc6b6c3b92370a5336cc23062a3ee17897533f0f0fbef6bc6c5e38342c46245a

  • memory/2940-132-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2940-135-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/4980-141-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/4980-142-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB