Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    92s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/10/2022, 14:27

General

  • Target

    766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965.exe

  • Size

    400KB

  • MD5

    a19d9fb62c7955caa9d284e66a6f07f0

  • SHA1

    b28a0e62325500a2a438eeb23159c3995e7be479

  • SHA256

    766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965

  • SHA512

    59ce44fb0e0c167cd7df6618ab7cf81661c911bed91896600de588e237dea7939a1337cd5e1ae29ebe6286825a0b03d041a4dbc2a129a48959e4df642632f369

  • SSDEEP

    12288:j6Wq4aaE6KwyF5L0Y2D1PqLEr7xznGa3c2y:JthEVaPqLAzTs2y

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965.exe
    "C:\Users\Admin\AppData\Local\Temp\766faa517a84ec9b4d84e4663256247873ecc3cb3d56256df61e14eb594e9965.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5052
    • C:\Windows\SysWOW64\commander.exe
      commander.exe /C at 9:00 /interactive C:\Windows\svhost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2160
      • C:\Windows\SysWOW64\at.exe
        at 9:00 /interactive C:\Windows\svhost.exe
        3⤵
          PID:4612
      • C:\Windows\SysWOW64\commander.exe
        commander.exe /C schtasks /run /tn at1
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4528
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /run /tn at1
          3⤵
            PID:1076

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\commander.exe

        Filesize

        231KB

        MD5

        690ccf3a840cedf07454610f27a140e5

        SHA1

        2d31b46d695bcf4e7192fbc385347daeaf883639

        SHA256

        60ff482bbd9b7061e9969a7ea636548feeeaff7ac056f117a581065e4297d13a

        SHA512

        d717ca2f5b0524659784c2ffd14410133a292979dd3da9961da840af5ebbd146d415065d1e282d22a71fdd476f2fd87cf4d638e612804bf6230ce59c1e6b0158

      • C:\Windows\SysWOW64\commander.exe

        Filesize

        231KB

        MD5

        690ccf3a840cedf07454610f27a140e5

        SHA1

        2d31b46d695bcf4e7192fbc385347daeaf883639

        SHA256

        60ff482bbd9b7061e9969a7ea636548feeeaff7ac056f117a581065e4297d13a

        SHA512

        d717ca2f5b0524659784c2ffd14410133a292979dd3da9961da840af5ebbd146d415065d1e282d22a71fdd476f2fd87cf4d638e612804bf6230ce59c1e6b0158

      • memory/5052-132-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

      • memory/5052-139-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB