Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 02:41

General

  • Target

    ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe

  • Size

    729KB

  • MD5

    45acd575e7b1acd77efd89949ed69fa0

  • SHA1

    d651d529f8bb3fe4a064b212d1e3cd23697c13aa

  • SHA256

    ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9

  • SHA512

    6c3459fbdd1d2aa2e0f4284ce37137eeb03734c96f297107045b6ee30f37019845495290e3f174ed23e5463b9b20f661c009393d71d81f574dcce8b3864f8d64

  • SSDEEP

    12288:0PiZktiErttOglVDEQdtHBsD3pM+l+tK81lFlmvodAKBxULEg7KdfHGvMvvZEsAP:5Z3ErttXpEQdtc3pVYTlFlmv+Aq6NKdM

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 13 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe
    "C:\Users\Admin\AppData\Local\Temp\ed4935deb85d931e20ae8496a995c37082f59eb11fc088bb4563d62b5f2836e9.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies Internet Explorer settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4644
    • \??\c:\windows\temp\clientbar.exe
      c:\windows\temp\clientbar.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2260
      • C:\Windows\SysWOW64\net.exe
        net stop sharedaccess
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1656
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop sharedaccess
          4⤵
            PID:3844

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Temp\clientbar.exe

      Filesize

      5KB

      MD5

      0ca87b75fe0cde361fba653f4c67b9f6

      SHA1

      95dec5649144b7fe90ac0517c6e14f369e27e0c4

      SHA256

      09df7690b946f8916fb5d406b3598aee76e255743d6db76fd48af0d2d62846e3

      SHA512

      8725243967716e64e656e4e6f43d87438a2dfb736a3ed5cf35621064683c7801450fd50389af133f5b4eee084077011b00af3a3a1612c413d9a4bd19ebb58fd1

    • C:\Windows\Temp\minihook.dll

      Filesize

      16KB

      MD5

      dc496987d75b5e592112605a2dbd8532

      SHA1

      758513f98b8765aa17219c5c4a9afd177dee2832

      SHA256

      e07e564b08899a594905bd503090321754df7c1c01acedc91bc3853c41c716dd

      SHA512

      f2949ab15b83f7448619e7b6adead063bd2d1a616249f3bc22c200133303b49d8541b53418ae993770070cd9576abf34237d21f8441b693c8d35c6107066d7f8

    • \??\c:\windows\temp\clientbar.exe

      Filesize

      5KB

      MD5

      0ca87b75fe0cde361fba653f4c67b9f6

      SHA1

      95dec5649144b7fe90ac0517c6e14f369e27e0c4

      SHA256

      09df7690b946f8916fb5d406b3598aee76e255743d6db76fd48af0d2d62846e3

      SHA512

      8725243967716e64e656e4e6f43d87438a2dfb736a3ed5cf35621064683c7801450fd50389af133f5b4eee084077011b00af3a3a1612c413d9a4bd19ebb58fd1

    • memory/2260-143-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

    • memory/4644-137-0x0000000000400000-0x00000000005BE000-memory.dmp

      Filesize

      1.7MB

    • memory/4644-144-0x0000000000400000-0x00000000005BE000-memory.dmp

      Filesize

      1.7MB

    • memory/4644-146-0x0000000010000000-0x0000000010008000-memory.dmp

      Filesize

      32KB