Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    90s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2022, 16:25

General

  • Target

    41bb237aba2daf77dcee5e02c7b634187a4fd8feb677c0f6417a0afc467b358d.exe

  • Size

    112KB

  • MD5

    3dfc6b97ad44bf4ca8667a80e7023b80

  • SHA1

    f33fdd4709d6cd6e91c7e6982e190b734d74c08b

  • SHA256

    41bb237aba2daf77dcee5e02c7b634187a4fd8feb677c0f6417a0afc467b358d

  • SHA512

    2967c25f23089ce5fe975d579f04082bfb53a15e9caefa943cb105094dd6ce4e90ba7409624baf2baf7a51ea901b499c4a2164c0c4e655a2552f32eecf292dfb

  • SSDEEP

    1536:E9wro4UWQFkQZP2LSkS+yiPmuHS/UWrUuOOJE5fiExEENYaIT8XDyJ:E9whQmQZgjTHScWrUmJElxEECCD

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\41bb237aba2daf77dcee5e02c7b634187a4fd8feb677c0f6417a0afc467b358d.exe
    "C:\Users\Admin\AppData\Local\Temp\41bb237aba2daf77dcee5e02c7b634187a4fd8feb677c0f6417a0afc467b358d.exe"
    1⤵
    • Checks computer location settings
    • Maps connected drives based on registry
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:544
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del 41bb237aba2daf77dcee5e02c7b634187a
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4632
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:1764

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads