Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2022, 05:27
Static task
static1
Behavioral task
behavioral1
Sample
d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8.exe
Resource
win10v2004-20220812-en
General
-
Target
d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8.exe
-
Size
648KB
-
MD5
68b4673152111ecc0526533c9f19ad90
-
SHA1
358a23e378e6656b85dff24f438cfb06d0b16b3d
-
SHA256
d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8
-
SHA512
b5370d06498ff62e2853db37b0596d07eb29407c11d9d2e3d78b3771ee15644a5cfe758f5c144556d64c6101d9bfcaa5053c4288a7d4dd036e05fc9969ad6135
-
SSDEEP
12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2616 powyudd.exe 3564 ~DFA246.tmp 2860 uhnuydd.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation ~DFA246.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 2860 uhnuydd.exe 2860 uhnuydd.exe 2860 uhnuydd.exe 2860 uhnuydd.exe 2860 uhnuydd.exe 2860 uhnuydd.exe 2860 uhnuydd.exe 2860 uhnuydd.exe 2860 uhnuydd.exe 2860 uhnuydd.exe 2860 uhnuydd.exe 2860 uhnuydd.exe 2860 uhnuydd.exe 2860 uhnuydd.exe 2860 uhnuydd.exe 2860 uhnuydd.exe 2860 uhnuydd.exe 2860 uhnuydd.exe 2860 uhnuydd.exe 2860 uhnuydd.exe 2860 uhnuydd.exe 2860 uhnuydd.exe 2860 uhnuydd.exe 2860 uhnuydd.exe 2860 uhnuydd.exe 2860 uhnuydd.exe 2860 uhnuydd.exe 2860 uhnuydd.exe 2860 uhnuydd.exe 2860 uhnuydd.exe 2860 uhnuydd.exe 2860 uhnuydd.exe 2860 uhnuydd.exe 2860 uhnuydd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3564 ~DFA246.tmp -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4816 wrote to memory of 2616 4816 d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8.exe 83 PID 4816 wrote to memory of 2616 4816 d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8.exe 83 PID 4816 wrote to memory of 2616 4816 d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8.exe 83 PID 2616 wrote to memory of 3564 2616 powyudd.exe 84 PID 2616 wrote to memory of 3564 2616 powyudd.exe 84 PID 2616 wrote to memory of 3564 2616 powyudd.exe 84 PID 4816 wrote to memory of 640 4816 d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8.exe 85 PID 4816 wrote to memory of 640 4816 d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8.exe 85 PID 4816 wrote to memory of 640 4816 d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8.exe 85 PID 3564 wrote to memory of 2860 3564 ~DFA246.tmp 89 PID 3564 wrote to memory of 2860 3564 ~DFA246.tmp 89 PID 3564 wrote to memory of 2860 3564 ~DFA246.tmp 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8.exe"C:\Users\Admin\AppData\Local\Temp\d16f1f512e1251f573a9286afa7fba25facf1380e810215d16aa83babcec59e8.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Users\Admin\AppData\Local\Temp\powyudd.exeC:\Users\Admin\AppData\Local\Temp\powyudd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\~DFA246.tmpC:\Users\Admin\AppData\Local\Temp\~DFA246.tmp OK3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Users\Admin\AppData\Local\Temp\uhnuydd.exe"C:\Users\Admin\AppData\Local\Temp\uhnuydd.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2860
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "2⤵PID:640
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
341B
MD55a6535f8b76af9ded5802819517d4066
SHA10b94d1b1a256b9d7441e8556049a6e08f0620985
SHA256a59bcfa795a37f6bbce5209217cf2244d7a30109fa9ba8659c0f4d350b489830
SHA5125809ca37d4bb1a20f3ce184221620ff5565555bc6b0a3f11567e22dc3a015afee4632f92b8d4a4f5725289b0eb72cf3ffa299b050dc569c6b22583fc905af9ca
-
Filesize
104B
MD586bb2dbeaef655893262f3c041f6afe2
SHA11b26ff1241c1353bd506c18bd0c11878076ba65d
SHA2564a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2
SHA51258294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31
-
Filesize
480B
MD5296a3b4008d9c2d5a00d3379f660c012
SHA192691d538a3943cf5de54077dce2813c155fcc37
SHA2567e02ae0f85f204918c2fe5ba27f201a42ea9fe473f67d309fbc328e9091b464d
SHA5126e6fa5e527366a313b4c8baaf494ee99d24f8ee330c9c99bee1fa42b97b0ffea4cad6e959ffd18ff4fe0f583a1fd5e86473c0253af94cd7cd6f874978ea79169
-
Filesize
657KB
MD5efc0bcca3456a8b81183e2bc27349e80
SHA17ef7540c91cb4815ae1b7aa6ca6c7d275c84ca22
SHA25651b3df079ddf1869fd395ec772e46a68c29b0cda23f736f7dce657fce9be4443
SHA51257282dc4f2a45e208ab21b59f8432844312a6cd35aa0f7064247ffcb93e1c93101b21b1e727a68cda0c6cdbace9d5a5ba724ecb41e63f1939aeb160b24daaa0c
-
Filesize
657KB
MD5efc0bcca3456a8b81183e2bc27349e80
SHA17ef7540c91cb4815ae1b7aa6ca6c7d275c84ca22
SHA25651b3df079ddf1869fd395ec772e46a68c29b0cda23f736f7dce657fce9be4443
SHA51257282dc4f2a45e208ab21b59f8432844312a6cd35aa0f7064247ffcb93e1c93101b21b1e727a68cda0c6cdbace9d5a5ba724ecb41e63f1939aeb160b24daaa0c
-
Filesize
375KB
MD5f25df733b659d80894bdb72eb0b8e3db
SHA129fef882e7a42b20622b9eb8cc557c9e8bb817e4
SHA2569bd0603e24defe0c42920de436a416f52e37e2872906b4d403644ec62931e3d8
SHA51206d0aa362fe0461fe4ef4e6ca8c3452eb617750e4b88d8e58e342e5565d703d960830f7e0588a50bb658ff663f0c7c508b5766d1fbb1dab93f114210f5b02883
-
Filesize
375KB
MD5f25df733b659d80894bdb72eb0b8e3db
SHA129fef882e7a42b20622b9eb8cc557c9e8bb817e4
SHA2569bd0603e24defe0c42920de436a416f52e37e2872906b4d403644ec62931e3d8
SHA51206d0aa362fe0461fe4ef4e6ca8c3452eb617750e4b88d8e58e342e5565d703d960830f7e0588a50bb658ff663f0c7c508b5766d1fbb1dab93f114210f5b02883
-
Filesize
660KB
MD5cc0f2e85ee4af6d7476d8346424c05ef
SHA18eb142fe1db1ce388b210efe14b5fa4faffa6eec
SHA256c87da4c608fb964a09c5da00d116728d8e79327192e77c030e4548d061181e1c
SHA512c4731040698f8f789dd0bf1cc28f3f22f0ec7eb02e40d053b0fc6da5654de2b6f43ff9cf76ff03285b4fe391cc94ad008c6e7418e9b0e6933a10c1aaca864b24
-
Filesize
660KB
MD5cc0f2e85ee4af6d7476d8346424c05ef
SHA18eb142fe1db1ce388b210efe14b5fa4faffa6eec
SHA256c87da4c608fb964a09c5da00d116728d8e79327192e77c030e4548d061181e1c
SHA512c4731040698f8f789dd0bf1cc28f3f22f0ec7eb02e40d053b0fc6da5654de2b6f43ff9cf76ff03285b4fe391cc94ad008c6e7418e9b0e6933a10c1aaca864b24