Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
11/10/2022, 19:07
General
-
Target
c1d37d63b2ae9e5a813e29391119b32a5a96010f4de04f736e849515258e0e8b.exe
-
Size
105KB
-
MD5
65d9c9a18d96d8c9da65a37b4c2a5572
-
SHA1
42660dc87fd5fa12aa452a4c5cd7fd3fa20628c3
-
SHA256
c1d37d63b2ae9e5a813e29391119b32a5a96010f4de04f736e849515258e0e8b
-
SHA512
0f845a701c29f33a83715ebfb60e5f6b881a9a1bfe00016ac4df667f425baf88ee547cb7a87e212e13490dd07566f4d20432109599cc04c4dc27c0c0b55f6928
-
SSDEEP
3072:pxIWTjOKItEKn/tenU6suHaqwbmrFf5j:pL3FI6+1enU6su6Jbmj
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1d37d63b2ae9e5a813e29391119b32a5a96010f4de04f736e849515258e0e8b.exe"C:\Users\Admin\AppData\Local\Temp\c1d37d63b2ae9e5a813e29391119b32a5a96010f4de04f736e849515258e0e8b.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Flash Player.exe"C:\Users\Admin\AppData\Roaming\Flash Player.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Flash Player.exe" "Flash Player.exe" ENABLE3⤵
- Modifies Windows Firewall
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105KB
MD565d9c9a18d96d8c9da65a37b4c2a5572
SHA142660dc87fd5fa12aa452a4c5cd7fd3fa20628c3
SHA256c1d37d63b2ae9e5a813e29391119b32a5a96010f4de04f736e849515258e0e8b
SHA5120f845a701c29f33a83715ebfb60e5f6b881a9a1bfe00016ac4df667f425baf88ee547cb7a87e212e13490dd07566f4d20432109599cc04c4dc27c0c0b55f6928
-
Filesize
105KB
MD565d9c9a18d96d8c9da65a37b4c2a5572
SHA142660dc87fd5fa12aa452a4c5cd7fd3fa20628c3
SHA256c1d37d63b2ae9e5a813e29391119b32a5a96010f4de04f736e849515258e0e8b
SHA5120f845a701c29f33a83715ebfb60e5f6b881a9a1bfe00016ac4df667f425baf88ee547cb7a87e212e13490dd07566f4d20432109599cc04c4dc27c0c0b55f6928
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB