Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8cf7d7bc82...49.exe

windows7-x64

10

8cf7d7bc82...49.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2022, 14:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8cf7d7bc828ee7b38a5d9a495acfcadc39e0b0e03534259b9fd3af46aa942249.exe

  • Size

    79KB

  • MD5

    5f1c6dca730a015ea3cc3cd9dab2e260

  • SHA1

    f5e8dc4e5429789475b41b70175c57bf98667878

  • SHA256

    8cf7d7bc828ee7b38a5d9a495acfcadc39e0b0e03534259b9fd3af46aa942249

  • SHA512

    a2551f85c24c1a078b2e9a734023d24a94ea13108f98b16b1f878e0400bf81846e12163bec9ac51f0babbf5ccca7ca63321dc3fe2978eb3df4394fc4ce57f902

  • SSDEEP

    384:/TLoBEse1egPc2RmwebA6/T6yjGTzDFKDsywKyPXWGBEyuA2Rt9Qo6WBlWJ7hlsP:/QWeVGSA+rjGTvejm2yuA2R8yY7zskO

Score
10/10
evasion

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8cf7d7bc828ee7b38a5d9a495acfcadc39e0b0e03534259b9fd3af46aa942249.exe
    "C:\Users\Admin\AppData\Local\Temp\8cf7d7bc828ee7b38a5d9a495acfcadc39e0b0e03534259b9fd3af46aa942249.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1656
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\8cf7d7bc828ee7b38a5d9a495acfcadc39e0b0e03534259b9fd3af46aa942249.doc" /o ""
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3308
    • C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s c:\abc.reg
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Runs .reg file with regedit
      PID:2964
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\1.bat
      2⤵
        PID:3852

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1.bat
      Filesize

      291B

      MD5

      1a3f80f3fc0dedef71657b08f8ab26b6

      SHA1

      745d17d29e656f0f57a3d2d8db260af1e2126e35

      SHA256

      30f21a694fbd0bc1bd06d81d0221fb8a5b3390ba4cfa0ef0db8be6b80bba6133

      SHA512

      c94f5a0d84eb89913817607846223ed7d34b799f90dd4b3e1918614414281bfd16d051701843b7a6cb0e623d1e2cba671fe1bb249e62c9df3bd0d7b9eff1224f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\8cf7d7bc828ee7b38a5d9a495acfcadc39e0b0e03534259b9fd3af46aa942249.doc
      Filesize

      51KB

      MD5

      20b403a310eb164cc7903e026d62a7d1

      SHA1

      b46bfec790c512cb02f15c94817b7f974de6e09f

      SHA256

      1364c66dbddf5a8bb0f9a21b368ef41bb7054de8356b55c1fe4685bcf8189e0c

      SHA512

      eb4991ae0a93f9b3a874ea67d3ff5754f82cb5fdf4783294b854cff9d7ccc0c615fde7c38f9b9814423407163efe5f0af72e5eec3bb0a08941e16d0aea3a073c

      Download Submit

    • \??\c:\abc.reg
      Filesize

      605B

      MD5

      919c47af89419610da8379f1a4bc4406

      SHA1

      8a38ced0244af3ea4f31ef83a79b02c33db7c99f

      SHA256

      b6ae6b39d808e52cd4971732f205bfb3ad8d4fb9559e26db6620e693fd9cf873

      SHA512

      7fd7689941a74377ee2c2efe35103f69a5fe47baeb19265f7470cff5e83313df0087206603e85debf5939a26dd5fb881ee8bf91ea8c1ce5ef511808af537a580

      Download Submit

    • memory/3308-144-0x00007FFE617F0000-0x00007FFE61800000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3308-139-0x00007FFE63C70000-0x00007FFE63C80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3308-141-0x00007FFE63C70000-0x00007FFE63C80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3308-140-0x00007FFE63C70000-0x00007FFE63C80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3308-143-0x00007FFE63C70000-0x00007FFE63C80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3308-142-0x00007FFE63C70000-0x00007FFE63C80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3308-145-0x00007FFE617F0000-0x00007FFE61800000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3308-148-0x00007FFE63C70000-0x00007FFE63C80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3308-149-0x00007FFE63C70000-0x00007FFE63C80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3308-150-0x00007FFE63C70000-0x00007FFE63C80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3308-151-0x00007FFE63C70000-0x00007FFE63C80000-memory.dmp

      Filesize

      64KB

      Download