Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
90s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2022, 16:25
Static task
static1
Behavioral task
behavioral1
Sample
41bb237aba2daf77dcee5e02c7b634187a4fd8feb677c0f6417a0afc467b358d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
41bb237aba2daf77dcee5e02c7b634187a4fd8feb677c0f6417a0afc467b358d.exe
Resource
win10v2004-20220901-en
General
-
Target
41bb237aba2daf77dcee5e02c7b634187a4fd8feb677c0f6417a0afc467b358d.exe
-
Size
112KB
-
MD5
3dfc6b97ad44bf4ca8667a80e7023b80
-
SHA1
f33fdd4709d6cd6e91c7e6982e190b734d74c08b
-
SHA256
41bb237aba2daf77dcee5e02c7b634187a4fd8feb677c0f6417a0afc467b358d
-
SHA512
2967c25f23089ce5fe975d579f04082bfb53a15e9caefa943cb105094dd6ce4e90ba7409624baf2baf7a51ea901b499c4a2164c0c4e655a2552f32eecf292dfb
-
SSDEEP
1536:E9wro4UWQFkQZP2LSkS+yiPmuHS/UWrUuOOJE5fiExEENYaIT8XDyJ:E9whQmQZgjTHScWrUmJElxEECCD
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 41bb237aba2daf77dcee5e02c7b634187a4fd8feb677c0f6417a0afc467b358d.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 41bb237aba2daf77dcee5e02c7b634187a4fd8feb677c0f6417a0afc467b358d.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 41bb237aba2daf77dcee5e02c7b634187a4fd8feb677c0f6417a0afc467b358d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 1764 tasklist.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1764 tasklist.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 544 41bb237aba2daf77dcee5e02c7b634187a4fd8feb677c0f6417a0afc467b358d.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 544 wrote to memory of 4632 544 41bb237aba2daf77dcee5e02c7b634187a4fd8feb677c0f6417a0afc467b358d.exe 86 PID 544 wrote to memory of 4632 544 41bb237aba2daf77dcee5e02c7b634187a4fd8feb677c0f6417a0afc467b358d.exe 86 PID 544 wrote to memory of 4632 544 41bb237aba2daf77dcee5e02c7b634187a4fd8feb677c0f6417a0afc467b358d.exe 86 PID 4632 wrote to memory of 1764 4632 cmd.exe 88 PID 4632 wrote to memory of 1764 4632 cmd.exe 88 PID 4632 wrote to memory of 1764 4632 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\41bb237aba2daf77dcee5e02c7b634187a4fd8feb677c0f6417a0afc467b358d.exe"C:\Users\Admin\AppData\Local\Temp\41bb237aba2daf77dcee5e02c7b634187a4fd8feb677c0f6417a0afc467b358d.exe"1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 41bb237aba2daf77dcee5e02c7b634187a2⤵
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
-