Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    132s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 09:23

General

  • Target

    9114f0f7030067985b2ca7f8f143b26b78474837c7f66d5ba56d4fe8d9f69168.exe

  • Size

    446KB

  • MD5

    098730132576ecf009e4a68e1b2fa76a

  • SHA1

    ba047a51170be449090f40e2f52acdd041f89e24

  • SHA256

    9114f0f7030067985b2ca7f8f143b26b78474837c7f66d5ba56d4fe8d9f69168

  • SHA512

    9a619f89031bb781ee1a5d51d686de55f1e71ca1ddbecb6bf4ac43f2b91c29c32f7f6c43086d5a19b6abda8564bde992144d16bd4fea3c57a61b8efcbfe83fce

  • SSDEEP

    6144:P4lRkAehaKuqT+FEaVnhelxxs6ZgwTSmpO7EqJh8ADX+EhzNjDGLGfGmS1ZlwIp6:PkWAehJuqTixSOV7EqtRtqLeiZlw4oek

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2692
      • C:\Users\Admin\AppData\Local\Temp\9114f0f7030067985b2ca7f8f143b26b78474837c7f66d5ba56d4fe8d9f69168.exe
        "C:\Users\Admin\AppData\Local\Temp\9114f0f7030067985b2ca7f8f143b26b78474837c7f66d5ba56d4fe8d9f69168.exe"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4644
        • C:\Documents and Settings\2.exe
          "C:\Documents and Settings\2.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4776

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Documents and Settings\2.exe

      Filesize

      31KB

      MD5

      127209babfe00b21129b55d94aa9043c

      SHA1

      64b6e61d0727b939370619c441402aad326d94d2

      SHA256

      9701949c51b83279b667f4a4fbb400dcfbf2283e78f7243b2addc8dbac71c9dc

      SHA512

      48d3fc5d9e427b5bb3abd6925bae422434a61e577cd4debae82f6f51a6b3685c36c546acedba8009372284ca1c09b6073269af605d070a4f0b12c9b94dbce353

    • C:\Users\2.exe

      Filesize

      31KB

      MD5

      127209babfe00b21129b55d94aa9043c

      SHA1

      64b6e61d0727b939370619c441402aad326d94d2

      SHA256

      9701949c51b83279b667f4a4fbb400dcfbf2283e78f7243b2addc8dbac71c9dc

      SHA512

      48d3fc5d9e427b5bb3abd6925bae422434a61e577cd4debae82f6f51a6b3685c36c546acedba8009372284ca1c09b6073269af605d070a4f0b12c9b94dbce353

    • memory/2692-136-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

      Filesize

      28KB

    • memory/4776-135-0x0000000000400000-0x0000000000408960-memory.dmp

      Filesize

      34KB

    • memory/4776-137-0x0000000010000000-0x0000000010013000-memory.dmp

      Filesize

      76KB