Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

767ae9fadc...cb.exe

windows7-x64

6

767ae9fadc...cb.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 01:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    767ae9fadc2131b2da09ec5ea79a7dbff9f764091dd9fc61328002e644bf8acb.exe

  • Size

    61KB

  • MD5

    40b4b185792e7ffc1e946bb022262180

  • SHA1

    bf226ca21f5f5433d1c52f600c66e4e198c483b0

  • SHA256

    767ae9fadc2131b2da09ec5ea79a7dbff9f764091dd9fc61328002e644bf8acb

  • SHA512

    e0d5810fd9a3c2e213df788d2ffb01568a4ac636d4071baff0226222c27d294c1403ffe5ab67b70b06d6d1c68ba69b9eb45e80da8a5355834ccd79e3bc1535d7

  • SSDEEP

    768:oylfdxBCi4imGYRd43JfnPOlBAgW7nhsqzdjqiB9V1/IeAlqYWotiPHgK:oytL48YRd43J/L7O2T/foE

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\767ae9fadc2131b2da09ec5ea79a7dbff9f764091dd9fc61328002e644bf8acb.exe
    "C:\Users\Admin\AppData\Local\Temp\767ae9fadc2131b2da09ec5ea79a7dbff9f764091dd9fc61328002e644bf8acb.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4288
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ztmp\t9489.bat" "C:\Users\Admin\AppData\Local\Temp\767ae9fadc2131b2da09ec5ea79a7dbff9f764091dd9fc61328002e644bf8acb.exe" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2380
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v Run /t REG_SZ /f /D C:\Users\Admin\AppData\Roaming\OSSMTP.exe
        3⤵
        • Adds Run key to start application
        PID:2212
      • C:\Windows\SysWOW64\reg.exe
        REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5D94AEE6-A6F4-4715-9BC8-A6A4A837EFCE}" /v "Enable"
        3⤵
          PID:4756
        • C:\Windows\SysWOW64\find.exe
          Find "1"
          3⤵
            PID:3232
          • C:\Windows\SysWOW64\find.exe
            Find "Brasil"
            3⤵
              PID:204
            • C:\Windows\SysWOW64\reg.exe
              REG QUERY "HKCU\Control Panel\International" /v "sCountry"
              3⤵
                PID:216
              • C:\Windows\SysWOW64\reg.exe
                REG QUERY "HKCU\Control Panel\International" /v "sCountry"
                3⤵
                  PID:4148
                • C:\Windows\SysWOW64\find.exe
                  Find "Brazil"
                  3⤵
                    PID:1832

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\ztmp\t9489.bat
                Filesize

                1KB

                MD5

                a70dba5aa4c0aa655507850edac82b56

                SHA1

                46b348a919406c491cc6f506ec1548d5778b9bf2

                SHA256

                de02de7efc14581e8beb862bd8ecd619147c1d2c7fbe11b34ce6c40ae605dead

                SHA512

                61163019cc27f8304ad201895da7cc663198702122dd97cb035c0199d54be1fb2ecdd6d357d48ac3d0cfc58e374dcf7cbed5b55b80e53bffc1d918687c616e50

                Download Submit