Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19/10/2022, 14:27
Behavioral task
behavioral1
Sample
766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965.exe
Resource
win10v2004-20220812-en
General
-
Target
766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965.exe
-
Size
400KB
-
MD5
a19d9fb62c7955caa9d284e66a6f07f0
-
SHA1
b28a0e62325500a2a438eeb23159c3995e7be479
-
SHA256
766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965
-
SHA512
59ce44fb0e0c167cd7df6618ab7cf81661c911bed91896600de588e237dea7939a1337cd5e1ae29ebe6286825a0b03d041a4dbc2a129a48959e4df642632f369
-
SSDEEP
12288:j6Wq4aaE6KwyF5L0Y2D1PqLEr7xznGa3c2y:JthEVaPqLAzTs2y
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2160 commander.exe 4528 commander.exe -
resource yara_rule behavioral2/memory/5052-132-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral2/memory/5052-139-0x0000000000400000-0x00000000004C8000-memory.dmp upx -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/5052-139-0x0000000000400000-0x00000000004C8000-memory.dmp autoit_exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\commander.exe 766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\svhost.exe 766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965.exe File opened for modification C:\Windows\svhost.exe 766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5052 766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965.exe 5052 766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 5052 wrote to memory of 2160 5052 766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965.exe 81 PID 5052 wrote to memory of 2160 5052 766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965.exe 81 PID 5052 wrote to memory of 2160 5052 766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965.exe 81 PID 2160 wrote to memory of 4612 2160 commander.exe 83 PID 2160 wrote to memory of 4612 2160 commander.exe 83 PID 2160 wrote to memory of 4612 2160 commander.exe 83 PID 5052 wrote to memory of 4528 5052 766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965.exe 84 PID 5052 wrote to memory of 4528 5052 766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965.exe 84 PID 5052 wrote to memory of 4528 5052 766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965.exe 84 PID 4528 wrote to memory of 1076 4528 commander.exe 86 PID 4528 wrote to memory of 1076 4528 commander.exe 86 PID 4528 wrote to memory of 1076 4528 commander.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965.exe"C:\Users\Admin\AppData\Local\Temp\766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\commander.execommander.exe /C at 9:00 /interactive C:\Windows\svhost.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\at.exeat 9:00 /interactive C:\Windows\svhost.exe3⤵PID:4612
-
-
-
C:\Windows\SysWOW64\commander.execommander.exe /C schtasks /run /tn at12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /tn at13⤵PID:1076
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
231KB
MD5690ccf3a840cedf07454610f27a140e5
SHA12d31b46d695bcf4e7192fbc385347daeaf883639
SHA25660ff482bbd9b7061e9969a7ea636548feeeaff7ac056f117a581065e4297d13a
SHA512d717ca2f5b0524659784c2ffd14410133a292979dd3da9961da840af5ebbd146d415065d1e282d22a71fdd476f2fd87cf4d638e612804bf6230ce59c1e6b0158
-
Filesize
231KB
MD5690ccf3a840cedf07454610f27a140e5
SHA12d31b46d695bcf4e7192fbc385347daeaf883639
SHA25660ff482bbd9b7061e9969a7ea636548feeeaff7ac056f117a581065e4297d13a
SHA512d717ca2f5b0524659784c2ffd14410133a292979dd3da9961da840af5ebbd146d415065d1e282d22a71fdd476f2fd87cf4d638e612804bf6230ce59c1e6b0158