Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19/10/2022, 15:41
Behavioral task
behavioral1
Sample
af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe
Resource
win10v2004-20220812-en
General
-
Target
af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe
-
Size
49KB
-
MD5
9161fad1e911bad9e15e89de2749eb90
-
SHA1
64aa054a8c8bdba8d7d4d3afe998d04d566f6e02
-
SHA256
af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8
-
SHA512
3c6a422e54174ff0b67c2283d9ee364e04f5f7884e1ebfa168ffed7a86609be62071d99f6ebb44b122901ae92d784bbc1706536e542e370394a2cadfe2c565c6
-
SSDEEP
1536:ooKo93XfyaW+OOoQQUcOJ1t6GBIvsgajtHE6V:TKo9HnOQHT1t5BIsg0D
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3948 iealore.exe -
resource yara_rule behavioral2/memory/4964-132-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/4964-136-0x0000000000400000-0x000000000041E000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\WINDOWS\Help\iealore.exe af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 3 IoCs
pid Process 4564 taskkill.exe 4204 taskkill.exe 4404 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4564 taskkill.exe Token: SeDebugPrivilege 4204 taskkill.exe Token: SeDebugPrivilege 4404 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4964 af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4964 wrote to memory of 4564 4964 af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe 82 PID 4964 wrote to memory of 4564 4964 af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe 82 PID 4964 wrote to memory of 4564 4964 af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe 82 PID 4964 wrote to memory of 4204 4964 af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe 84 PID 4964 wrote to memory of 4204 4964 af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe 84 PID 4964 wrote to memory of 4204 4964 af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe 84 PID 4964 wrote to memory of 4404 4964 af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe 86 PID 4964 wrote to memory of 4404 4964 af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe 86 PID 4964 wrote to memory of 4404 4964 af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe 86 PID 4964 wrote to memory of 3948 4964 af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe 88 PID 4964 wrote to memory of 3948 4964 af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe 88 PID 4964 wrote to memory of 3948 4964 af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe"C:\Users\Admin\AppData\Local\Temp\af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4564
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im SkypeClient.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4204
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im Skype.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4404
-
-
C:\WINDOWS\Help\iealore.exe"C:\WINDOWS\Help\iealore.exe"2⤵
- Executes dropped EXE
PID:3948
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD597ad9b43e6528f377f66f2bc82161456
SHA1240a1824f44044c6e2b5fca135ff997191dea4bd
SHA256d4941e18e5b0e7039c4dabb96ce9d73cd710bf8f3a775cbaf1b38921d2ce0fc2
SHA512b9709f661104ace85a26097fce9579bc6ec779c3899e18b99069273fc920a22271bf3971ed7f49c96ac2afb1bc0cd355e26f729629ae19277cc9c6a5ccc571c0