Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
159s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2022, 12:10
Static task
static1
Behavioral task
behavioral1
Sample
f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe
Resource
win10v2004-20220812-en
General
-
Target
f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe
-
Size
649KB
-
MD5
65dea0fc97d6416507dbc9721c86a470
-
SHA1
e86f2e4c0a833815e1aab94449077fb6fa3ee00e
-
SHA256
f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787
-
SHA512
692df3f336c72744038bf7460f8a526b972fe5d9a522396aa7959f3027999df6fc01460c13ef9680262a8d29b740c1ffe4809a8a80519d719a950acf673dad73
-
SSDEEP
12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 4864 qyujboy.exe 4892 ~DFA250.tmp 3224 gotiluy.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation ~DFA250.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 3224 gotiluy.exe 3224 gotiluy.exe 3224 gotiluy.exe 3224 gotiluy.exe 3224 gotiluy.exe 3224 gotiluy.exe 3224 gotiluy.exe 3224 gotiluy.exe 3224 gotiluy.exe 3224 gotiluy.exe 3224 gotiluy.exe 3224 gotiluy.exe 3224 gotiluy.exe 3224 gotiluy.exe 3224 gotiluy.exe 3224 gotiluy.exe 3224 gotiluy.exe 3224 gotiluy.exe 3224 gotiluy.exe 3224 gotiluy.exe 3224 gotiluy.exe 3224 gotiluy.exe 3224 gotiluy.exe 3224 gotiluy.exe 3224 gotiluy.exe 3224 gotiluy.exe 3224 gotiluy.exe 3224 gotiluy.exe 3224 gotiluy.exe 3224 gotiluy.exe 3224 gotiluy.exe 3224 gotiluy.exe 3224 gotiluy.exe 3224 gotiluy.exe 3224 gotiluy.exe 3224 gotiluy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4892 ~DFA250.tmp -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3908 wrote to memory of 4864 3908 f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe 80 PID 3908 wrote to memory of 4864 3908 f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe 80 PID 3908 wrote to memory of 4864 3908 f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe 80 PID 4864 wrote to memory of 4892 4864 qyujboy.exe 81 PID 4864 wrote to memory of 4892 4864 qyujboy.exe 81 PID 4864 wrote to memory of 4892 4864 qyujboy.exe 81 PID 3908 wrote to memory of 720 3908 f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe 82 PID 3908 wrote to memory of 720 3908 f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe 82 PID 3908 wrote to memory of 720 3908 f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe 82 PID 4892 wrote to memory of 3224 4892 ~DFA250.tmp 92 PID 4892 wrote to memory of 3224 4892 ~DFA250.tmp 92 PID 4892 wrote to memory of 3224 4892 ~DFA250.tmp 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe"C:\Users\Admin\AppData\Local\Temp\f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Users\Admin\AppData\Local\Temp\qyujboy.exeC:\Users\Admin\AppData\Local\Temp\qyujboy.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Users\Admin\AppData\Local\Temp\~DFA250.tmpC:\Users\Admin\AppData\Local\Temp\~DFA250.tmp OK3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Users\Admin\AppData\Local\Temp\gotiluy.exe"C:\Users\Admin\AppData\Local\Temp\gotiluy.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3224
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "2⤵PID:720
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
341B
MD514ad64e70a4e83a26ee7753f49662923
SHA101dc7abbb05ab6416fdff4db72d6a4056310a40e
SHA256e5e2feba7c153d7a6dc0f678b63829b0fe1ae5a38bb71f80fc95c55acaa8ca4b
SHA51278f1acfb202fba0109d48c083a50771960f0b74053edd066ac249c990ac50dc9a331236b8579ef923a6ec30c00af41320791f5ae19a4d44e30ed1c7627ed6528
-
Filesize
104B
MD586bb2dbeaef655893262f3c041f6afe2
SHA11b26ff1241c1353bd506c18bd0c11878076ba65d
SHA2564a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2
SHA51258294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31
-
Filesize
480B
MD58ed731cf4fa2d767a8b19a367e114376
SHA110863c06d03978107fa47fc05f8cd8e26eb2c5d0
SHA2560cac7c400956df931a0b10b063360c3284da9753f4dde625c9a9d3d014090bda
SHA512d80075439f0e8b78d9b47fb57051fd5ce7ee647053c7164f99ac5119d9d845fac551870df1cbe4b18664fb3a25ae7d7c40ea2e03827ab0ebe913f3035b35361b
-
Filesize
375KB
MD58130445a6664b0eb02dd737b3488067d
SHA17d95ebbe2c856b74e2900f06d70be40a66250860
SHA256c93edffd5eaee23ccddd0d03020885dd79efcc6981387165a4f64afce8e2d278
SHA512e1bd3b4328b851ab83a73c4df6182a8a39e48fb331bf0acf3b8f6f92ac69a7609f2a043c4281c12b0286c16f37d0b3f745f1bf56285d00a26f306f2f87117d3b
-
Filesize
375KB
MD58130445a6664b0eb02dd737b3488067d
SHA17d95ebbe2c856b74e2900f06d70be40a66250860
SHA256c93edffd5eaee23ccddd0d03020885dd79efcc6981387165a4f64afce8e2d278
SHA512e1bd3b4328b851ab83a73c4df6182a8a39e48fb331bf0acf3b8f6f92ac69a7609f2a043c4281c12b0286c16f37d0b3f745f1bf56285d00a26f306f2f87117d3b
-
Filesize
650KB
MD5d11056f5b005ce3e97d01e3814115d82
SHA1604b7a3856c6649677af25dbfb16ef96a269e949
SHA256943a60188f625644bf806ced60fbeb19b700664b74f27ac2f69c5e2d02064680
SHA512bf70a01fc26af07acafbf5e43f7979cde478394483be89ee02d86bdeb666e45356e9077ae9cee1a49c2e43b9ae9f920a8cdf07e49c0acd74339bb91f0d950000
-
Filesize
650KB
MD5d11056f5b005ce3e97d01e3814115d82
SHA1604b7a3856c6649677af25dbfb16ef96a269e949
SHA256943a60188f625644bf806ced60fbeb19b700664b74f27ac2f69c5e2d02064680
SHA512bf70a01fc26af07acafbf5e43f7979cde478394483be89ee02d86bdeb666e45356e9077ae9cee1a49c2e43b9ae9f920a8cdf07e49c0acd74339bb91f0d950000
-
Filesize
653KB
MD5a75f989a713fe01b4b6c7e203f223764
SHA1546342a14f631e533fd469592792206f1c2160a6
SHA256b541b73179ea71a0dd4b9179318d0842a1155e8068e25b1439c8fd0a9fb44f6e
SHA5129e41d73b71330f7844e8e8795b051a0d377748317a495237bc4ae9b1405551344ee3c2c56a50f85b71f08ba4d416e15e9f79fc6fea718a81dac386de0c8de6a2
-
Filesize
653KB
MD5a75f989a713fe01b4b6c7e203f223764
SHA1546342a14f631e533fd469592792206f1c2160a6
SHA256b541b73179ea71a0dd4b9179318d0842a1155e8068e25b1439c8fd0a9fb44f6e
SHA5129e41d73b71330f7844e8e8795b051a0d377748317a495237bc4ae9b1405551344ee3c2c56a50f85b71f08ba4d416e15e9f79fc6fea718a81dac386de0c8de6a2