Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
163s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2022, 16:12
Static task
static1
Behavioral task
behavioral1
Sample
e0cdb77a07439e58e6ef0c94b4efb3e82340d898bfa66d361d98190ce2cae056.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e0cdb77a07439e58e6ef0c94b4efb3e82340d898bfa66d361d98190ce2cae056.exe
Resource
win10v2004-20220812-en
General
-
Target
e0cdb77a07439e58e6ef0c94b4efb3e82340d898bfa66d361d98190ce2cae056.exe
-
Size
196KB
-
MD5
682e2b9d20296f785ddc4d14f36c5890
-
SHA1
53f416e09a160435952b0e7d555bbbee2761062e
-
SHA256
e0cdb77a07439e58e6ef0c94b4efb3e82340d898bfa66d361d98190ce2cae056
-
SHA512
4cfb42bd7d352394074fd1d8e637eb945136453165b6307d1332855eac008f7c0cb06e5298afcfc6a9467178103252d0766dc4eccea49f138df4121ba3aee39b
-
SSDEEP
3072:aM65zTN7RH9Avfeo3fpp0dL5qxpubZyejITv9fXFg1:1mTNJ0fp3Bp0dLiobP+v9fVa
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation e0cdb77a07439e58e6ef0c94b4efb3e82340d898bfa66d361d98190ce2cae056.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1652 PING.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2556 wrote to memory of 4740 2556 e0cdb77a07439e58e6ef0c94b4efb3e82340d898bfa66d361d98190ce2cae056.exe 81 PID 2556 wrote to memory of 4740 2556 e0cdb77a07439e58e6ef0c94b4efb3e82340d898bfa66d361d98190ce2cae056.exe 81 PID 2556 wrote to memory of 4740 2556 e0cdb77a07439e58e6ef0c94b4efb3e82340d898bfa66d361d98190ce2cae056.exe 81 PID 4740 wrote to memory of 1652 4740 cmd.exe 83 PID 4740 wrote to memory of 1652 4740 cmd.exe 83 PID 4740 wrote to memory of 1652 4740 cmd.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0cdb77a07439e58e6ef0c94b4efb3e82340d898bfa66d361d98190ce2cae056.exe"C:\Users\Admin\AppData\Local\Temp\e0cdb77a07439e58e6ef0c94b4efb3e82340d898bfa66d361d98190ce2cae056.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A25A.tmp.bat" >> NUL2⤵
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 2 -w 10003⤵
- Runs ping.exe
PID:1652
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
130B
MD5d56456b749193e8708004c52e8b034ef
SHA1e63702f74124c60b7f7e4c4e731fd7565060a80a
SHA25664b7a6132aee7cf27a6179dbc0329f839b0dc686ee1cec134e037cd4204787d9
SHA5122cebb84dca7b6c488bdd5a0b936f474b9108f993ec6bbb7534b13769a6fbabd5ab43236727d1a32cb2069c082403e6f869172a2c0e455846a1f77124952e8f97