Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

f882435caa...87.exe

windows7-x64

8

f882435caa...87.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    159s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2022, 12:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe

  • Size

    649KB

  • MD5

    65dea0fc97d6416507dbc9721c86a470

  • SHA1

    e86f2e4c0a833815e1aab94449077fb6fa3ee00e

  • SHA256

    f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787

  • SHA512

    692df3f336c72744038bf7460f8a526b972fe5d9a522396aa7959f3027999df6fc01460c13ef9680262a8d29b740c1ffe4809a8a80519d719a950acf673dad73

  • SSDEEP

    12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe
    "C:\Users\Admin\AppData\Local\Temp\f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3908
    • C:\Users\Admin\AppData\Local\Temp\qyujboy.exe
      C:\Users\Admin\AppData\Local\Temp\qyujboy.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4864
      • C:\Users\Admin\AppData\Local\Temp\~DFA250.tmp
        C:\Users\Admin\AppData\Local\Temp\~DFA250.tmp OK
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4892
        • C:\Users\Admin\AppData\Local\Temp\gotiluy.exe
          "C:\Users\Admin\AppData\Local\Temp\gotiluy.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:3224
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
      2⤵
        PID:720

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_uninsep.bat
      Filesize

      341B

      MD5

      14ad64e70a4e83a26ee7753f49662923

      SHA1

      01dc7abbb05ab6416fdff4db72d6a4056310a40e

      SHA256

      e5e2feba7c153d7a6dc0f678b63829b0fe1ae5a38bb71f80fc95c55acaa8ca4b

      SHA512

      78f1acfb202fba0109d48c083a50771960f0b74053edd066ac249c990ac50dc9a331236b8579ef923a6ec30c00af41320791f5ae19a4d44e30ed1c7627ed6528

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\gbp.ini
      Filesize

      104B

      MD5

      86bb2dbeaef655893262f3c041f6afe2

      SHA1

      1b26ff1241c1353bd506c18bd0c11878076ba65d

      SHA256

      4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

      SHA512

      58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
      Filesize

      480B

      MD5

      8ed731cf4fa2d767a8b19a367e114376

      SHA1

      10863c06d03978107fa47fc05f8cd8e26eb2c5d0

      SHA256

      0cac7c400956df931a0b10b063360c3284da9753f4dde625c9a9d3d014090bda

      SHA512

      d80075439f0e8b78d9b47fb57051fd5ce7ee647053c7164f99ac5119d9d845fac551870df1cbe4b18664fb3a25ae7d7c40ea2e03827ab0ebe913f3035b35361b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\gotiluy.exe
      Filesize

      375KB

      MD5

      8130445a6664b0eb02dd737b3488067d

      SHA1

      7d95ebbe2c856b74e2900f06d70be40a66250860

      SHA256

      c93edffd5eaee23ccddd0d03020885dd79efcc6981387165a4f64afce8e2d278

      SHA512

      e1bd3b4328b851ab83a73c4df6182a8a39e48fb331bf0acf3b8f6f92ac69a7609f2a043c4281c12b0286c16f37d0b3f745f1bf56285d00a26f306f2f87117d3b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\gotiluy.exe
      Filesize

      375KB

      MD5

      8130445a6664b0eb02dd737b3488067d

      SHA1

      7d95ebbe2c856b74e2900f06d70be40a66250860

      SHA256

      c93edffd5eaee23ccddd0d03020885dd79efcc6981387165a4f64afce8e2d278

      SHA512

      e1bd3b4328b851ab83a73c4df6182a8a39e48fb331bf0acf3b8f6f92ac69a7609f2a043c4281c12b0286c16f37d0b3f745f1bf56285d00a26f306f2f87117d3b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\qyujboy.exe
      Filesize

      650KB

      MD5

      d11056f5b005ce3e97d01e3814115d82

      SHA1

      604b7a3856c6649677af25dbfb16ef96a269e949

      SHA256

      943a60188f625644bf806ced60fbeb19b700664b74f27ac2f69c5e2d02064680

      SHA512

      bf70a01fc26af07acafbf5e43f7979cde478394483be89ee02d86bdeb666e45356e9077ae9cee1a49c2e43b9ae9f920a8cdf07e49c0acd74339bb91f0d950000

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\qyujboy.exe
      Filesize

      650KB

      MD5

      d11056f5b005ce3e97d01e3814115d82

      SHA1

      604b7a3856c6649677af25dbfb16ef96a269e949

      SHA256

      943a60188f625644bf806ced60fbeb19b700664b74f27ac2f69c5e2d02064680

      SHA512

      bf70a01fc26af07acafbf5e43f7979cde478394483be89ee02d86bdeb666e45356e9077ae9cee1a49c2e43b9ae9f920a8cdf07e49c0acd74339bb91f0d950000

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DFA250.tmp
      Filesize

      653KB

      MD5

      a75f989a713fe01b4b6c7e203f223764

      SHA1

      546342a14f631e533fd469592792206f1c2160a6

      SHA256

      b541b73179ea71a0dd4b9179318d0842a1155e8068e25b1439c8fd0a9fb44f6e

      SHA512

      9e41d73b71330f7844e8e8795b051a0d377748317a495237bc4ae9b1405551344ee3c2c56a50f85b71f08ba4d416e15e9f79fc6fea718a81dac386de0c8de6a2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~DFA250.tmp
      Filesize

      653KB

      MD5

      a75f989a713fe01b4b6c7e203f223764

      SHA1

      546342a14f631e533fd469592792206f1c2160a6

      SHA256

      b541b73179ea71a0dd4b9179318d0842a1155e8068e25b1439c8fd0a9fb44f6e

      SHA512

      9e41d73b71330f7844e8e8795b051a0d377748317a495237bc4ae9b1405551344ee3c2c56a50f85b71f08ba4d416e15e9f79fc6fea718a81dac386de0c8de6a2

      Download Submit

    • memory/3224-151-0x0000000000400000-0x000000000053E000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3224-153-0x0000000000400000-0x000000000053E000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3908-132-0x0000000000400000-0x00000000004DE000-memory.dmp

      Filesize

      888KB

      Download

    • memory/3908-145-0x0000000000400000-0x00000000004DE000-memory.dmp

      Filesize

      888KB

      Download

    • memory/3908-138-0x0000000000400000-0x00000000004DE000-memory.dmp

      Filesize

      888KB

      Download

    • memory/4864-143-0x0000000000400000-0x00000000004DE000-memory.dmp

      Filesize

      888KB

      Download

    • memory/4864-137-0x0000000000400000-0x00000000004DE000-memory.dmp

      Filesize

      888KB

      Download

    • memory/4892-142-0x0000000000400000-0x00000000004DE000-memory.dmp

      Filesize

      888KB

      Download

    • memory/4892-147-0x0000000000400000-0x00000000004DE000-memory.dmp

      Filesize

      888KB

      Download