Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    65s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 05:38

General

  • Target

    b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe

  • Size

    113KB

  • MD5

    6945475e30633fe7b7423876857afebd

  • SHA1

    f3fe43844e2153d123c29f5e446da2c54d2bb9ee

  • SHA256

    b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b

  • SHA512

    445565c520d8253f6d9419bb2fa5ad6d721d904fd451f1a04d7a8e3958878de7bafc9f8b96e60f2d879bcc85682950e618bf29fdcbf4cab27ddcdef9cee6b6d1

  • SSDEEP

    3072:TQIDRTXJJmGz9AVvPBVWLGLC5uQ0cJRkw2cU:T/3mGRAJepUncJa

Score
10/10

Malware Config

Signatures

  • UAC bypass 3 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Windows\system32\dwm.exe
    "dwm.exe"
    1⤵
      PID:1008
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:3456
      • C:\Windows\System32\RuntimeBroker.exe
        C:\Windows\System32\RuntimeBroker.exe -Embedding
        1⤵
          PID:2268
        • C:\Windows\system32\backgroundTaskHost.exe
          "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
          1⤵
            PID:2700
          • C:\Windows\System32\RuntimeBroker.exe
            C:\Windows\System32\RuntimeBroker.exe -Embedding
            1⤵
              PID:4820
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
                PID:3744
              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                1⤵
                  PID:3552
                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                  1⤵
                    PID:3352
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                    1⤵
                      PID:3244
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                      1⤵
                        PID:2948
                      • C:\Windows\Explorer.EXE
                        C:\Windows\Explorer.EXE
                        1⤵
                          PID:2424
                          • C:\Users\Admin\AppData\Local\Temp\b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe
                            "C:\Users\Admin\AppData\Local\Temp\b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe"
                            2⤵
                            • UAC bypass
                            • Checks whether UAC is enabled
                            • Drops file in Windows directory
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            • System policy modification
                            PID:3516
                            • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
                              "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
                              3⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Drops file in Program Files directory
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of WriteProcessMemory
                              • System policy modification
                              PID:4296
                              • C:\Windows\SysWOW64\NOTEPAD.EXE
                                "C:\Windows\system32\NOTEPAD.EXE"
                                4⤵
                                  PID:1420
                                • C:\Windows\SysWOW64\NOTEPAD.EXE
                                  "C:\Windows\system32\NOTEPAD.EXE"
                                  4⤵
                                    PID:2732
                                  • C:\Windows\SysWOW64\NOTEPAD.EXE
                                    "C:\Windows\system32\NOTEPAD.EXE"
                                    4⤵
                                      PID:3484
                                    • C:\Windows\SysWOW64\NOTEPAD.EXE
                                      "C:\Windows\system32\NOTEPAD.EXE"
                                      4⤵
                                        PID:3772
                                      • C:\Windows\SysWOW64\NOTEPAD.EXE
                                        "C:\Windows\system32\NOTEPAD.EXE"
                                        4⤵
                                          PID:340
                                        • C:\Windows\SysWOW64\NOTEPAD.EXE
                                          "C:\Windows\system32\NOTEPAD.EXE"
                                          4⤵
                                            PID:2208
                                          • C:\Windows\SysWOW64\NOTEPAD.EXE
                                            "C:\Windows\system32\NOTEPAD.EXE"
                                            4⤵
                                              PID:1244
                                            • C:\Windows\SysWOW64\NOTEPAD.EXE
                                              "C:\Windows\system32\NOTEPAD.EXE"
                                              4⤵
                                                PID:4120
                                        • C:\Windows\system32\taskhostw.exe
                                          taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                                          1⤵
                                            PID:2416
                                          • C:\Windows\system32\svchost.exe
                                            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                            1⤵
                                              PID:2328
                                            • C:\Windows\system32\sihost.exe
                                              sihost.exe
                                              1⤵
                                                PID:2308
                                              • C:\Windows\system32\fontdrvhost.exe
                                                "fontdrvhost.exe"
                                                1⤵
                                                  PID:776
                                                • C:\Windows\system32\fontdrvhost.exe
                                                  "fontdrvhost.exe"
                                                  1⤵
                                                    PID:768

                                                  Network

                                                  MITRE ATT&CK Enterprise v6

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\Temp\0E56BD88_Rar\b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b.exe

                                                    Filesize

                                                    53KB

                                                    MD5

                                                    273d78e14fd846c2eabe42788ea7f550

                                                    SHA1

                                                    a78c813af5237a521685e321b7d34870fe99f152

                                                    SHA256

                                                    b786ff9afd3be4b1ee992dc68e32b70d52e19cee5bca7f6779ecd211aa55a5a4

                                                    SHA512

                                                    40458559e8369c7096bf21f0975fdbde879da441c1f5026ec1877fa03ddc7f528e91ceb44a71fdc1b86ec39625d075568038a3f62417812c225c67ed6f90609b

                                                  • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

                                                    Filesize

                                                    113KB

                                                    MD5

                                                    6945475e30633fe7b7423876857afebd

                                                    SHA1

                                                    f3fe43844e2153d123c29f5e446da2c54d2bb9ee

                                                    SHA256

                                                    b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b

                                                    SHA512

                                                    445565c520d8253f6d9419bb2fa5ad6d721d904fd451f1a04d7a8e3958878de7bafc9f8b96e60f2d879bcc85682950e618bf29fdcbf4cab27ddcdef9cee6b6d1

                                                  • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

                                                    Filesize

                                                    113KB

                                                    MD5

                                                    6945475e30633fe7b7423876857afebd

                                                    SHA1

                                                    f3fe43844e2153d123c29f5e446da2c54d2bb9ee

                                                    SHA256

                                                    b6aad83ed3c938716b7171a3ff12aeeb85d2d4e40f78e8710462784550d6779b

                                                    SHA512

                                                    445565c520d8253f6d9419bb2fa5ad6d721d904fd451f1a04d7a8e3958878de7bafc9f8b96e60f2d879bcc85682950e618bf29fdcbf4cab27ddcdef9cee6b6d1

                                                  • C:\Windows\SYSTEM.INI

                                                    Filesize

                                                    258B

                                                    MD5

                                                    bb8ef8e7dcfaeb96be2de5d81ae0fd4b

                                                    SHA1

                                                    3cd6cc1a313c6d889c76ef822bb1d4b92dc70017

                                                    SHA256

                                                    ae3bf4c85d244e531cf88e21917729d39e22c391ea51aad5cc3374596c4c1a5d

                                                    SHA512

                                                    e8e1c849ab3fe3a77314c26811e3c0d4daf0828e4318a444de5dea3e27e68d5b38d498793037959324835cda60569b1c5f711b3a4f0066ff6d97e5be0c6a93b7

                                                  • memory/340-154-0x0000000000820000-0x0000000000834000-memory.dmp

                                                    Filesize

                                                    80KB

                                                  • memory/1244-158-0x0000000000740000-0x0000000000754000-memory.dmp

                                                    Filesize

                                                    80KB

                                                  • memory/1420-146-0x00000000005A0000-0x00000000005B4000-memory.dmp

                                                    Filesize

                                                    80KB

                                                  • memory/2208-156-0x0000000001240000-0x0000000001254000-memory.dmp

                                                    Filesize

                                                    80KB

                                                  • memory/2732-148-0x0000000000F20000-0x0000000000F34000-memory.dmp

                                                    Filesize

                                                    80KB

                                                  • memory/3484-150-0x0000000000E20000-0x0000000000E34000-memory.dmp

                                                    Filesize

                                                    80KB

                                                  • memory/3516-139-0x0000000002220000-0x000000000324A000-memory.dmp

                                                    Filesize

                                                    16.2MB

                                                  • memory/3516-133-0x0000000000400000-0x0000000000443000-memory.dmp

                                                    Filesize

                                                    268KB

                                                  • memory/3516-138-0x0000000000400000-0x0000000000443000-memory.dmp

                                                    Filesize

                                                    268KB

                                                  • memory/3516-134-0x0000000002220000-0x000000000324A000-memory.dmp

                                                    Filesize

                                                    16.2MB

                                                  • memory/3772-152-0x0000000000410000-0x0000000000424000-memory.dmp

                                                    Filesize

                                                    80KB

                                                  • memory/4296-144-0x00000000049D0000-0x00000000059FA000-memory.dmp

                                                    Filesize

                                                    16.2MB

                                                  • memory/4296-141-0x00000000049D0000-0x00000000059FA000-memory.dmp

                                                    Filesize

                                                    16.2MB

                                                  • memory/4296-140-0x0000000000400000-0x0000000000443000-memory.dmp

                                                    Filesize

                                                    268KB