Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    94s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/10/2022, 15:41

General

  • Target

    af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe

  • Size

    49KB

  • MD5

    9161fad1e911bad9e15e89de2749eb90

  • SHA1

    64aa054a8c8bdba8d7d4d3afe998d04d566f6e02

  • SHA256

    af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8

  • SHA512

    3c6a422e54174ff0b67c2283d9ee364e04f5f7884e1ebfa168ffed7a86609be62071d99f6ebb44b122901ae92d784bbc1706536e542e370394a2cadfe2c565c6

  • SSDEEP

    1536:ooKo93XfyaW+OOoQQUcOJ1t6GBIvsgajtHE6V:TKo9HnOQHT1t5BIsg0D

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe
    "C:\Users\Admin\AppData\Local\Temp\af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4964
    • C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4564
    • C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /f /im SkypeClient.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4204
    • C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /f /im Skype.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4404
    • C:\WINDOWS\Help\iealore.exe
      "C:\WINDOWS\Help\iealore.exe"
      2⤵
      • Executes dropped EXE
      PID:3948

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Help\iealore.exe

    Filesize

    13KB

    MD5

    97ad9b43e6528f377f66f2bc82161456

    SHA1

    240a1824f44044c6e2b5fca135ff997191dea4bd

    SHA256

    d4941e18e5b0e7039c4dabb96ce9d73cd710bf8f3a775cbaf1b38921d2ce0fc2

    SHA512

    b9709f661104ace85a26097fce9579bc6ec779c3899e18b99069273fc920a22271bf3971ed7f49c96ac2afb1bc0cd355e26f729629ae19277cc9c6a5ccc571c0

  • memory/4964-132-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

  • memory/4964-136-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB