Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
190s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2022, 05:27
Static task
static1
Behavioral task
behavioral1
Sample
f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc.exe
Resource
win10v2004-20220812-en
General
-
Target
f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc.exe
-
Size
668KB
-
MD5
439959a920e04f2db59b7fe2dd3ef430
-
SHA1
561e0630ea09a5f45f46d8abc4f422ad2dcd6fa7
-
SHA256
f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc
-
SHA512
45cf7794c24864c749592f9060b1c4539eb8051747e2042dc2532ad9fc23c71a88a382cae90599a01e73dbeb8630b02508f1355bb5b8fb474b30cf4dd8d7f13d
-
SSDEEP
12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2436 suevlok.exe 2604 ~DFA258.tmp 804 jievodq.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation ~DFA258.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 804 jievodq.exe 804 jievodq.exe 804 jievodq.exe 804 jievodq.exe 804 jievodq.exe 804 jievodq.exe 804 jievodq.exe 804 jievodq.exe 804 jievodq.exe 804 jievodq.exe 804 jievodq.exe 804 jievodq.exe 804 jievodq.exe 804 jievodq.exe 804 jievodq.exe 804 jievodq.exe 804 jievodq.exe 804 jievodq.exe 804 jievodq.exe 804 jievodq.exe 804 jievodq.exe 804 jievodq.exe 804 jievodq.exe 804 jievodq.exe 804 jievodq.exe 804 jievodq.exe 804 jievodq.exe 804 jievodq.exe 804 jievodq.exe 804 jievodq.exe 804 jievodq.exe 804 jievodq.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2604 ~DFA258.tmp -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 924 wrote to memory of 2436 924 f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc.exe 82 PID 924 wrote to memory of 2436 924 f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc.exe 82 PID 924 wrote to memory of 2436 924 f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc.exe 82 PID 924 wrote to memory of 3928 924 f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc.exe 83 PID 924 wrote to memory of 3928 924 f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc.exe 83 PID 924 wrote to memory of 3928 924 f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc.exe 83 PID 2436 wrote to memory of 2604 2436 suevlok.exe 85 PID 2436 wrote to memory of 2604 2436 suevlok.exe 85 PID 2436 wrote to memory of 2604 2436 suevlok.exe 85 PID 2604 wrote to memory of 804 2604 ~DFA258.tmp 86 PID 2604 wrote to memory of 804 2604 ~DFA258.tmp 86 PID 2604 wrote to memory of 804 2604 ~DFA258.tmp 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc.exe"C:\Users\Admin\AppData\Local\Temp\f49651cc591a70ada81923879dc55003db47983af92d038eeffaae7245f031bc.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Users\Admin\AppData\Local\Temp\suevlok.exeC:\Users\Admin\AppData\Local\Temp\suevlok.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\~DFA258.tmpC:\Users\Admin\AppData\Local\Temp\~DFA258.tmp OK3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\jievodq.exe"C:\Users\Admin\AppData\Local\Temp\jievodq.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:804
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "2⤵PID:3928
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
341B
MD5ba746eebdf87399d423652b62980562e
SHA1c4243f204c08a721f67f0aaa10d64db3f453a31a
SHA2567e10bc53e0e95051dab23667763f74b386654d915f23753861092b8383c13572
SHA5128a1b3e682b6000e0f31905fea4bb145efe81e358e432629c37ce8db088a5c096631ada4625fd3fdde75db491d737c3c1ca0a3b6edd058f2e11a5e7a1ebcb6a30
-
Filesize
104B
MD586bb2dbeaef655893262f3c041f6afe2
SHA11b26ff1241c1353bd506c18bd0c11878076ba65d
SHA2564a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2
SHA51258294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31
-
Filesize
480B
MD5408074c79e97f2d2fce3c4689f1dc83f
SHA1f1accfe4335d5ea6185bb5a803475e845cbe809e
SHA2566e818f34f0c3168bc80fad1ec7e71ca4b518fb1ac725cae118c188518f453fe9
SHA512a66882f913e96a9c9e945ee3b47f388850ebf67abe920b2850b4b201c728809a039b3a343ac70e1b1171eebaf4b24ee5acd01e5c272509351e212252d834c181
-
Filesize
390KB
MD55eeb835f2dafa3a92a9a78cca9a2666f
SHA1e1dfcda1418c3910f773c02f6db0b729f8862ba8
SHA25693ad37ab9206c36946f3fe80c283469c8e8edb6357e5364ad9eb595673a193e7
SHA51243f1d262bb4f8088d3c3b9ff39e3431c3ac74dbb5a6d30e93c3c70dd4c6255eea4c66ba501a39f07b9c204cc3a6cdea0eccf7cea64e3713bf5941ae7b4b12334
-
Filesize
390KB
MD55eeb835f2dafa3a92a9a78cca9a2666f
SHA1e1dfcda1418c3910f773c02f6db0b729f8862ba8
SHA25693ad37ab9206c36946f3fe80c283469c8e8edb6357e5364ad9eb595673a193e7
SHA51243f1d262bb4f8088d3c3b9ff39e3431c3ac74dbb5a6d30e93c3c70dd4c6255eea4c66ba501a39f07b9c204cc3a6cdea0eccf7cea64e3713bf5941ae7b4b12334
-
Filesize
677KB
MD58c459c1b3ec960dd4301797af931706b
SHA16ba6e542fe5435f9b4596614995971e045e5caac
SHA256aacd8324b1525b76a93ce571eefeae57aa0a104990a0af577981f244327f2c4e
SHA51219dcba070ad4600403355479914f7bb61ad65ff603f06f43f829fd7588363ed4cac1b19bfc325a91599f2150e5b549696f1aa7ba2ac53c87e0a86fe316196e7c
-
Filesize
677KB
MD58c459c1b3ec960dd4301797af931706b
SHA16ba6e542fe5435f9b4596614995971e045e5caac
SHA256aacd8324b1525b76a93ce571eefeae57aa0a104990a0af577981f244327f2c4e
SHA51219dcba070ad4600403355479914f7bb61ad65ff603f06f43f829fd7588363ed4cac1b19bfc325a91599f2150e5b549696f1aa7ba2ac53c87e0a86fe316196e7c
-
Filesize
678KB
MD59934c63965c1221cd439e22445d9ea30
SHA1ccde92a5bc8d65ed2d51a48c75c5285d21176d3d
SHA2568d0e9bee8217ff2f8ec8aeef850dd696a0fcd63a19cafe7955bc6af99c5921f7
SHA512594d7067e93aee6a53515137130c00e8b3cee0304a6a6315f4d8196db571d79a5fdc230bf16674cc79747844d2640895571eafd00a002bcba9a12ad877655298
-
Filesize
678KB
MD59934c63965c1221cd439e22445d9ea30
SHA1ccde92a5bc8d65ed2d51a48c75c5285d21176d3d
SHA2568d0e9bee8217ff2f8ec8aeef850dd696a0fcd63a19cafe7955bc6af99c5921f7
SHA512594d7067e93aee6a53515137130c00e8b3cee0304a6a6315f4d8196db571d79a5fdc230bf16674cc79747844d2640895571eafd00a002bcba9a12ad877655298