Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2022, 16:25
Static task
static1
Behavioral task
behavioral1
Sample
19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720.exe
Resource
win10v2004-20220812-en
General
-
Target
19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720.exe
-
Size
697KB
-
MD5
7c322be974e8deb64b30fc7bc7c92cb8
-
SHA1
66d61d7b978fecfd28808b2c0632a0a3ad365600
-
SHA256
19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720
-
SHA512
b5859ae72285bc7d8c55026d5f340b713dc40e74d3754a7a16ae6863f49aa524d728c1551fcc1e8cf39a463b83b8f2f22466eacd52d69138c21109eecdaba868
-
SSDEEP
12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 4792 axcajof.exe 1280 ~DFA248.tmp 2136 yqsolof.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation ~DFA248.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe 2136 yqsolof.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1280 ~DFA248.tmp -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4912 wrote to memory of 4792 4912 19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720.exe 82 PID 4912 wrote to memory of 4792 4912 19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720.exe 82 PID 4912 wrote to memory of 4792 4912 19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720.exe 82 PID 4792 wrote to memory of 1280 4792 axcajof.exe 83 PID 4792 wrote to memory of 1280 4792 axcajof.exe 83 PID 4792 wrote to memory of 1280 4792 axcajof.exe 83 PID 4912 wrote to memory of 3180 4912 19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720.exe 84 PID 4912 wrote to memory of 3180 4912 19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720.exe 84 PID 4912 wrote to memory of 3180 4912 19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720.exe 84 PID 1280 wrote to memory of 2136 1280 ~DFA248.tmp 93 PID 1280 wrote to memory of 2136 1280 ~DFA248.tmp 93 PID 1280 wrote to memory of 2136 1280 ~DFA248.tmp 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720.exe"C:\Users\Admin\AppData\Local\Temp\19d4d4594cffde3006ddc68727e6a1e9798e7c1d7f5fedb5f4b63c3e00e4a720.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\axcajof.exeC:\Users\Admin\AppData\Local\Temp\axcajof.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Users\Admin\AppData\Local\Temp\~DFA248.tmpC:\Users\Admin\AppData\Local\Temp\~DFA248.tmp OK3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Users\Admin\AppData\Local\Temp\yqsolof.exe"C:\Users\Admin\AppData\Local\Temp\yqsolof.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2136
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "2⤵PID:3180
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
341B
MD540d89701cd9b30db06bc65ae857adc81
SHA1e29e4a7d27d039b1c637ccc1cc7755fe6c9983d5
SHA25619d5c0bbf595e06e01b0fbf6f80d4bbd41fa969623bd1396b8ce6eb1c534ea82
SHA512c23e7049743094fc300fccbb9abc3ffbb8ae593fd817e38fe77f27696dd055582e8d2e503617994bee1cf394fdc05b302fa86dab89bbfe223afc71256e6d8787
-
Filesize
700KB
MD5e718348248eb35015e0cd8f93e8d7f08
SHA1fa28049e6e1248ff8311c2a7605ed79c363af540
SHA256ce76619fd636193d13b020ec1d03c4340d38b8990d130aa3b5c5699d590da0c1
SHA512432a4a83f5b0833d0c75d163796b3ec7fa16cc52b369b26252ffb48c3f995ecc21bfdd197a16dc1f043f5b27173652af4e6be6737d7ea3f12c2df24839bb9548
-
Filesize
700KB
MD5e718348248eb35015e0cd8f93e8d7f08
SHA1fa28049e6e1248ff8311c2a7605ed79c363af540
SHA256ce76619fd636193d13b020ec1d03c4340d38b8990d130aa3b5c5699d590da0c1
SHA512432a4a83f5b0833d0c75d163796b3ec7fa16cc52b369b26252ffb48c3f995ecc21bfdd197a16dc1f043f5b27173652af4e6be6737d7ea3f12c2df24839bb9548
-
Filesize
104B
MD586bb2dbeaef655893262f3c041f6afe2
SHA11b26ff1241c1353bd506c18bd0c11878076ba65d
SHA2564a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2
SHA51258294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31
-
Filesize
480B
MD5edd21c306cb2a7fb94c1fa13a28570c4
SHA1cd51539a79008775588b89c3546feb532390f490
SHA2569950170b1c1d8c68bd6e9c8e145890993a5787f0996e02922d87551b44a65bb9
SHA512753721206731f18b83ac2e8f92b979c509168192c1992eba8a320f881f4b2c6d3f997e2c13a214f650a3a36f0a80720b3cf9d055961c68daa9fb15f2aa2eb644
-
Filesize
382KB
MD5573462fe47461e1ab7101539a328550a
SHA106e9f925066e66ae9d8d8ec1f15b85dfdb59a999
SHA256e1b858496fd58695944007eea7de3a909f5b9d4a69652bce2fbc265b8b328ddf
SHA512bdd5699d915181f676741df182956829598483446a3b856b0b7bb247c0379ceb2ace4b1009d512198d26cf6c47f1ca6a4bddce488ddad894701e187f1e320e85
-
Filesize
382KB
MD5573462fe47461e1ab7101539a328550a
SHA106e9f925066e66ae9d8d8ec1f15b85dfdb59a999
SHA256e1b858496fd58695944007eea7de3a909f5b9d4a69652bce2fbc265b8b328ddf
SHA512bdd5699d915181f676741df182956829598483446a3b856b0b7bb247c0379ceb2ace4b1009d512198d26cf6c47f1ca6a4bddce488ddad894701e187f1e320e85
-
Filesize
704KB
MD5a46a9f915fe3bcf76073af1103b6a1bf
SHA14ffdca3990e5eca9f03bce7dfc4534b891f59ccf
SHA2565d41d854733b5375269afa56eee5cc21586bb1dfe829185b96accd61c7b20f58
SHA512c4f03be808c591dfad0a5e549eea7fc3bcdb73cf156411da9826da0f7d9ec65f335d9508656cf06bd0cbd2ee8d6fc054222bd0077a9a4da56c03ca076b8d3199
-
Filesize
704KB
MD5a46a9f915fe3bcf76073af1103b6a1bf
SHA14ffdca3990e5eca9f03bce7dfc4534b891f59ccf
SHA2565d41d854733b5375269afa56eee5cc21586bb1dfe829185b96accd61c7b20f58
SHA512c4f03be808c591dfad0a5e549eea7fc3bcdb73cf156411da9826da0f7d9ec65f335d9508656cf06bd0cbd2ee8d6fc054222bd0077a9a4da56c03ca076b8d3199