Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    190s
  • max time network
    186s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2022, 16:37

General

  • Target

    b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe

  • Size

    655KB

  • MD5

    04e66c511fdf2485df76cbc4a2cb14b0

  • SHA1

    a669c062474a18e31f61dc00a4a3fcaf697b02e9

  • SHA256

    b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9

  • SHA512

    090c99782f65618ab0e9230846b2ab5dc1bcdf433d34819d6a819297bc6b173484259905427420241a965640bf584c4e66db68d7898c08aa5a04c37041235210

  • SSDEEP

    12288:Jq+a9slb39XcI9TC9/1bfLkKKeXnehedVzQjRGf6DbLHAqujSIySgzJ2w7eQke:JqB9TtklkBTzQlGf6DbLHAqujSIcC6

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
    "C:\Users\Admin\AppData\Local\Temp\b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4760
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        3⤵
          PID:2776
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a154D.bat
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4160
        • C:\Users\Admin\AppData\Local\Temp\b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
          "C:\Users\Admin\AppData\Local\Temp\b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe"
          3⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2784
          • C:\Windows\SysWOW64\explorer.exe
            "C:\Windows\System32\explorer.exe" URL="http://down.360safe.com/setup.exe"
            4⤵
              PID:3588
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          2⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1436
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3456
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              4⤵
                PID:4868
            • C:\Windows\SysWOW64\net.exe
              net stop "Kingsoft AntiVirus Service"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1772
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                4⤵
                  PID:648
          • C:\Windows\Explorer.EXE
            C:\Windows\Explorer.EXE
            1⤵
              PID:2348
            • C:\Windows\explorer.exe
              C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:4948
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://down.360safe.com/setup.exe
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:4320
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd7efa46f8,0x7ffd7efa4708,0x7ffd7efa4718
                  3⤵
                    PID:980

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\$$a154D.bat

                Filesize

                722B

                MD5

                7912cbf465c3e8950ce613f336922db2

                SHA1

                e64e3af97a60c5b7b6119ed35ddbf5579a0d4f36

                SHA256

                9e3ab2e30442d6fe0daf9a43f0b0ce17a1dc08f1b4f228da7cce6da3451a00e2

                SHA512

                c9608e01e1042416d4a269b0b864e733bfa8e2a381da000a768a8652ec2dd4cc2385ec816524aec38506951ff4e4811a558bff196507944b5e23d72233a20e02

              • C:\Users\Admin\AppData\Local\Temp\b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe

                Filesize

                621KB

                MD5

                b96935d921cb6665638ff00f1b6b8098

                SHA1

                b71c40c76301a52e3d49b06ad3f99afffa178934

                SHA256

                ca5b1c8f21cb3209e93636300391aba0693ad68957e997fe3ce85c0880eb1f93

                SHA512

                40505dc52b697907a9ca9a196a156b751af43e75c97eb6d99835147bafd0561b25b8943ea421350bee5b6cc398b4d13159dfc0d500a4f5ce99130c9ca301e5e8

              • C:\Users\Admin\AppData\Local\Temp\b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe.exe

                Filesize

                621KB

                MD5

                b96935d921cb6665638ff00f1b6b8098

                SHA1

                b71c40c76301a52e3d49b06ad3f99afffa178934

                SHA256

                ca5b1c8f21cb3209e93636300391aba0693ad68957e997fe3ce85c0880eb1f93

                SHA512

                40505dc52b697907a9ca9a196a156b751af43e75c97eb6d99835147bafd0561b25b8943ea421350bee5b6cc398b4d13159dfc0d500a4f5ce99130c9ca301e5e8

              • C:\Windows\Logo1_.exe

                Filesize

                33KB

                MD5

                d3c9b20260fa9b0131b750f762f5d083

                SHA1

                a41ae48d90e642b7ec53c03e2dcefe75ff9c523c

                SHA256

                73bc4265b6f4825db9a7ee89cc589ffd01891b2878d7037da02a9bbdcfd6a33f

                SHA512

                c69d28908697b802ab9c3997c5af54d3ee3d369bb4e349f9cee846418609715eea7251620f4e09f0e485ac6287d9650aee89c663da538577e46137378db88d64

              • C:\Windows\Logo1_.exe

                Filesize

                33KB

                MD5

                d3c9b20260fa9b0131b750f762f5d083

                SHA1

                a41ae48d90e642b7ec53c03e2dcefe75ff9c523c

                SHA256

                73bc4265b6f4825db9a7ee89cc589ffd01891b2878d7037da02a9bbdcfd6a33f

                SHA512

                c69d28908697b802ab9c3997c5af54d3ee3d369bb4e349f9cee846418609715eea7251620f4e09f0e485ac6287d9650aee89c663da538577e46137378db88d64

              • C:\Windows\rundl132.exe

                Filesize

                33KB

                MD5

                d3c9b20260fa9b0131b750f762f5d083

                SHA1

                a41ae48d90e642b7ec53c03e2dcefe75ff9c523c

                SHA256

                73bc4265b6f4825db9a7ee89cc589ffd01891b2878d7037da02a9bbdcfd6a33f

                SHA512

                c69d28908697b802ab9c3997c5af54d3ee3d369bb4e349f9cee846418609715eea7251620f4e09f0e485ac6287d9650aee89c663da538577e46137378db88d64

              • memory/1436-150-0x0000000000400000-0x000000000043F000-memory.dmp

                Filesize

                252KB

              • memory/1436-141-0x0000000000400000-0x000000000043F000-memory.dmp

                Filesize

                252KB

              • memory/2236-138-0x0000000000400000-0x000000000043F000-memory.dmp

                Filesize

                252KB

              • memory/2236-133-0x0000000000400000-0x000000000043F000-memory.dmp

                Filesize

                252KB