Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2022, 09:23
Static task
static1
Behavioral task
behavioral1
Sample
9114f0f7030067985b2ca7f8f143b26b78474837c7f66d5ba56d4fe8d9f69168.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
9114f0f7030067985b2ca7f8f143b26b78474837c7f66d5ba56d4fe8d9f69168.exe
Resource
win10v2004-20220812-en
General
-
Target
9114f0f7030067985b2ca7f8f143b26b78474837c7f66d5ba56d4fe8d9f69168.exe
-
Size
446KB
-
MD5
098730132576ecf009e4a68e1b2fa76a
-
SHA1
ba047a51170be449090f40e2f52acdd041f89e24
-
SHA256
9114f0f7030067985b2ca7f8f143b26b78474837c7f66d5ba56d4fe8d9f69168
-
SHA512
9a619f89031bb781ee1a5d51d686de55f1e71ca1ddbecb6bf4ac43f2b91c29c32f7f6c43086d5a19b6abda8564bde992144d16bd4fea3c57a61b8efcbfe83fce
-
SSDEEP
6144:P4lRkAehaKuqT+FEaVnhelxxs6ZgwTSmpO7EqJh8ADX+EhzNjDGLGfGmS1ZlwIp6:PkWAehJuqTixSOV7EqtRtqLeiZlw4oek
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4776 2.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 9114f0f7030067985b2ca7f8f143b26b78474837c7f66d5ba56d4fe8d9f69168.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4776 2.exe 4776 2.exe 4776 2.exe 4776 2.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4644 wrote to memory of 4776 4644 9114f0f7030067985b2ca7f8f143b26b78474837c7f66d5ba56d4fe8d9f69168.exe 83 PID 4644 wrote to memory of 4776 4644 9114f0f7030067985b2ca7f8f143b26b78474837c7f66d5ba56d4fe8d9f69168.exe 83 PID 4644 wrote to memory of 4776 4644 9114f0f7030067985b2ca7f8f143b26b78474837c7f66d5ba56d4fe8d9f69168.exe 83 PID 4776 wrote to memory of 2692 4776 2.exe 53 PID 4776 wrote to memory of 2692 4776 2.exe 53 PID 4776 wrote to memory of 2692 4776 2.exe 53 PID 4776 wrote to memory of 2692 4776 2.exe 53
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2692
-
C:\Users\Admin\AppData\Local\Temp\9114f0f7030067985b2ca7f8f143b26b78474837c7f66d5ba56d4fe8d9f69168.exe"C:\Users\Admin\AppData\Local\Temp\9114f0f7030067985b2ca7f8f143b26b78474837c7f66d5ba56d4fe8d9f69168.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Documents and Settings\2.exe"C:\Documents and Settings\2.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4776
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD5127209babfe00b21129b55d94aa9043c
SHA164b6e61d0727b939370619c441402aad326d94d2
SHA2569701949c51b83279b667f4a4fbb400dcfbf2283e78f7243b2addc8dbac71c9dc
SHA51248d3fc5d9e427b5bb3abd6925bae422434a61e577cd4debae82f6f51a6b3685c36c546acedba8009372284ca1c09b6073269af605d070a4f0b12c9b94dbce353
-
Filesize
31KB
MD5127209babfe00b21129b55d94aa9043c
SHA164b6e61d0727b939370619c441402aad326d94d2
SHA2569701949c51b83279b667f4a4fbb400dcfbf2283e78f7243b2addc8dbac71c9dc
SHA51248d3fc5d9e427b5bb3abd6925bae422434a61e577cd4debae82f6f51a6b3685c36c546acedba8009372284ca1c09b6073269af605d070a4f0b12c9b94dbce353