Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
04/10/2022, 02:49
Static task
static1
Behavioral task
behavioral1
Sample
ba53f8ab7eafe61356f7ca7dd17417505feec931127c5577bd6723a1693c2aa3.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
ba53f8ab7eafe61356f7ca7dd17417505feec931127c5577bd6723a1693c2aa3.exe
Resource
win10v2004-20220901-en
General
-
Target
ba53f8ab7eafe61356f7ca7dd17417505feec931127c5577bd6723a1693c2aa3.exe
-
Size
96KB
-
MD5
64bf3ee8f8e7ac21716f4c67f7c72fe0
-
SHA1
e63679dc7b7d7d01f9e09f708b8ab9db3e5e45e9
-
SHA256
ba53f8ab7eafe61356f7ca7dd17417505feec931127c5577bd6723a1693c2aa3
-
SHA512
ba1e5d901ff29269fd0304ac5c70e29f46d12bf38a5262f589fb8435e89d8024532cfb7ace139cdbb738800de0129dfcce99659ffa765069a7c8a4c3a557ec72
-
SSDEEP
1536:L8ppt6jk1Gn/dcVHAWF1+bmc7L8UB7aFmWg02vmd0cuvM3nrYk9PhFUV7R8pg:wppt646f+1+Vfay0imd0NCrh9PhGeg
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4684 chrome.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 4696 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation ba53f8ab7eafe61356f7ca7dd17417505feec931127c5577bd6723a1693c2aa3.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7a7f54bd68008d730d8b5545508f0225.exe chrome.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7a7f54bd68008d730d8b5545508f0225.exe chrome.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7a7f54bd68008d730d8b5545508f0225 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome.exe\" .." chrome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7a7f54bd68008d730d8b5545508f0225 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome.exe\" .." chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 4684 chrome.exe Token: 33 4684 chrome.exe Token: SeIncBasePriorityPrivilege 4684 chrome.exe Token: 33 4684 chrome.exe Token: SeIncBasePriorityPrivilege 4684 chrome.exe Token: 33 4684 chrome.exe Token: SeIncBasePriorityPrivilege 4684 chrome.exe Token: 33 4684 chrome.exe Token: SeIncBasePriorityPrivilege 4684 chrome.exe Token: 33 4684 chrome.exe Token: SeIncBasePriorityPrivilege 4684 chrome.exe Token: 33 4684 chrome.exe Token: SeIncBasePriorityPrivilege 4684 chrome.exe Token: 33 4684 chrome.exe Token: SeIncBasePriorityPrivilege 4684 chrome.exe Token: 33 4684 chrome.exe Token: SeIncBasePriorityPrivilege 4684 chrome.exe Token: 33 4684 chrome.exe Token: SeIncBasePriorityPrivilege 4684 chrome.exe Token: 33 4684 chrome.exe Token: SeIncBasePriorityPrivilege 4684 chrome.exe Token: 33 4684 chrome.exe Token: SeIncBasePriorityPrivilege 4684 chrome.exe Token: 33 4684 chrome.exe Token: SeIncBasePriorityPrivilege 4684 chrome.exe Token: 33 4684 chrome.exe Token: SeIncBasePriorityPrivilege 4684 chrome.exe Token: 33 4684 chrome.exe Token: SeIncBasePriorityPrivilege 4684 chrome.exe Token: 33 4684 chrome.exe Token: SeIncBasePriorityPrivilege 4684 chrome.exe Token: 33 4684 chrome.exe Token: SeIncBasePriorityPrivilege 4684 chrome.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1948 wrote to memory of 4684 1948 ba53f8ab7eafe61356f7ca7dd17417505feec931127c5577bd6723a1693c2aa3.exe 91 PID 1948 wrote to memory of 4684 1948 ba53f8ab7eafe61356f7ca7dd17417505feec931127c5577bd6723a1693c2aa3.exe 91 PID 1948 wrote to memory of 4684 1948 ba53f8ab7eafe61356f7ca7dd17417505feec931127c5577bd6723a1693c2aa3.exe 91 PID 4684 wrote to memory of 4696 4684 chrome.exe 94 PID 4684 wrote to memory of 4696 4684 chrome.exe 94 PID 4684 wrote to memory of 4696 4684 chrome.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba53f8ab7eafe61356f7ca7dd17417505feec931127c5577bd6723a1693c2aa3.exe"C:\Users\Admin\AppData\Local\Temp\ba53f8ab7eafe61356f7ca7dd17417505feec931127c5577bd6723a1693c2aa3.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Users\Admin\AppData\Local\Temp\chrome.exe"C:\Users\Admin\AppData\Local\Temp\chrome.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\chrome.exe" "chrome.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:4696
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD564bf3ee8f8e7ac21716f4c67f7c72fe0
SHA1e63679dc7b7d7d01f9e09f708b8ab9db3e5e45e9
SHA256ba53f8ab7eafe61356f7ca7dd17417505feec931127c5577bd6723a1693c2aa3
SHA512ba1e5d901ff29269fd0304ac5c70e29f46d12bf38a5262f589fb8435e89d8024532cfb7ace139cdbb738800de0129dfcce99659ffa765069a7c8a4c3a557ec72
-
Filesize
96KB
MD564bf3ee8f8e7ac21716f4c67f7c72fe0
SHA1e63679dc7b7d7d01f9e09f708b8ab9db3e5e45e9
SHA256ba53f8ab7eafe61356f7ca7dd17417505feec931127c5577bd6723a1693c2aa3
SHA512ba1e5d901ff29269fd0304ac5c70e29f46d12bf38a5262f589fb8435e89d8024532cfb7ace139cdbb738800de0129dfcce99659ffa765069a7c8a4c3a557ec72