Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
54s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07/10/2022, 06:31
Static task
static1
Behavioral task
behavioral1
Sample
b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b.exe
Resource
win10v2004-20220812-en
General
-
Target
b.exe
-
Size
1.9MB
-
MD5
f6ed15763205da5fc35bc6af8ad1f000
-
SHA1
e95b9750d5323fe4b0a3949945590ebb0de149bf
-
SHA256
b7fc68653c4d32be7f3180abb0cffdfcb61c796adaa18ac4d58062bae83aaefa
-
SHA512
ca6d9f3f0956bf03b917d9c45c881a4672e6553eb5dd7de22ddb4a61fd9d5b7bab04cd5efa9693561e3c327bb31045f475fd78bb6af08ed8cbf620260a720b25
-
SSDEEP
24576:z7FUDowAyrTVE3U5FmdpDAI4oafbLHGE5x7awFhJdNo69lOy7KTijlN:zBuZrEUwD+oafv55DdN7POGjr
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2528 b.tmp 4892 b.tmp -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation b.tmp -
Loads dropped DLL 2 IoCs
pid Process 2528 b.tmp 4892 b.tmp -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 217.160.70.42 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4892 set thread context of 1488 4892 b.tmp 86 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\PC_installer\unins000.dat b.tmp File created C:\Program Files (x86)\PC_installer\is-12R3C.tmp b.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1772 1488 WerFault.exe 86 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1488 explorer.exe 1488 explorer.exe 4892 b.tmp 4892 b.tmp 4892 b.tmp 4892 b.tmp 4892 b.tmp 4892 b.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4892 b.tmp -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2856 wrote to memory of 2528 2856 b.exe 83 PID 2856 wrote to memory of 2528 2856 b.exe 83 PID 2856 wrote to memory of 2528 2856 b.exe 83 PID 2528 wrote to memory of 4988 2528 b.tmp 84 PID 2528 wrote to memory of 4988 2528 b.tmp 84 PID 2528 wrote to memory of 4988 2528 b.tmp 84 PID 4988 wrote to memory of 4892 4988 b.exe 85 PID 4988 wrote to memory of 4892 4988 b.exe 85 PID 4988 wrote to memory of 4892 4988 b.exe 85 PID 4892 wrote to memory of 1488 4892 b.tmp 86 PID 4892 wrote to memory of 1488 4892 b.tmp 86 PID 4892 wrote to memory of 1488 4892 b.tmp 86 PID 4892 wrote to memory of 1488 4892 b.tmp 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\b.exe"C:\Users\Admin\AppData\Local\Temp\b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\is-NRDUE.tmp\b.tmp"C:\Users\Admin\AppData\Local\Temp\is-NRDUE.tmp\b.tmp" /SL5="$B006A,1135239,832512,C:\Users\Admin\AppData\Local\Temp\b.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\b.exe"C:\Users\Admin\AppData\Local\Temp\b.exe" /VERYSILENT3⤵
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Users\Admin\AppData\Local\Temp\is-OCT25.tmp\b.tmp"C:\Users\Admin\AppData\Local\Temp\is-OCT25.tmp\b.tmp" /SL5="$C006A,1135239,832512,C:\Users\Admin\AppData\Local\Temp\b.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1488 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 7486⤵
- Program crash
PID:1772
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1488 -ip 14881⤵PID:4816
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
339KB
MD58f1ff631e1c3918ba0d731673994d5cb
SHA193b9337010e346afc546f3fd733a52aa38dba77f
SHA256fe81ed8671a5384d55299eef4ad679f6f5a080ad69cb072865327fe93ed85cbd
SHA5124f68d6aac354640d3cb578b64f5f3d141ce143dbec47ea92fd841c061ba3b7a92c91c386df428fde86eba625c404a0e3145d4585a6cc6dcc322bf48e62e004bd
-
Filesize
3.0MB
MD577d406991227cc35026e45fe0411b3b5
SHA13d1a314aa86c24e84e97782c7c093a4d7f972f4d
SHA2560f4f707356ffab07e4764773c06573f2dbf253309e136f220cef0419c6c644e3
SHA512f61e3a9d8c573c444519300e3f3a6d12d48ea1c43cbde7835d0fe871e997d2f75589b4c8e9896903d062e68b1313cb141e41269281a7b78f8ea86c3c510a4501
-
Filesize
3.0MB
MD577d406991227cc35026e45fe0411b3b5
SHA13d1a314aa86c24e84e97782c7c093a4d7f972f4d
SHA2560f4f707356ffab07e4764773c06573f2dbf253309e136f220cef0419c6c644e3
SHA512f61e3a9d8c573c444519300e3f3a6d12d48ea1c43cbde7835d0fe871e997d2f75589b4c8e9896903d062e68b1313cb141e41269281a7b78f8ea86c3c510a4501
-
Filesize
3.0MB
MD577d406991227cc35026e45fe0411b3b5
SHA13d1a314aa86c24e84e97782c7c093a4d7f972f4d
SHA2560f4f707356ffab07e4764773c06573f2dbf253309e136f220cef0419c6c644e3
SHA512f61e3a9d8c573c444519300e3f3a6d12d48ea1c43cbde7835d0fe871e997d2f75589b4c8e9896903d062e68b1313cb141e41269281a7b78f8ea86c3c510a4501
-
Filesize
339KB
MD58f1ff631e1c3918ba0d731673994d5cb
SHA193b9337010e346afc546f3fd733a52aa38dba77f
SHA256fe81ed8671a5384d55299eef4ad679f6f5a080ad69cb072865327fe93ed85cbd
SHA5124f68d6aac354640d3cb578b64f5f3d141ce143dbec47ea92fd841c061ba3b7a92c91c386df428fde86eba625c404a0e3145d4585a6cc6dcc322bf48e62e004bd