Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

ed440cbe1c...f5.exe

windows7-x64

8

ed440cbe1c...f5.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    167s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2022, 05:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ed440cbe1c8f604cc3595b91d0c442148e51dcff578f216237b2a626fc7df3f5.exe

  • Size

    28KB

  • MD5

    7cd3fa5c8d3c3730dd7cfd13649e6ee9

  • SHA1

    9127b742ee66a055709e348d8934b0c04409a7cc

  • SHA256

    ed440cbe1c8f604cc3595b91d0c442148e51dcff578f216237b2a626fc7df3f5

  • SHA512

    d5caaa22de36a8e119f16d96a196147065ce7efa7b7dc0bf38ba2731de0599ea9c38cd5ee4ecadcb3f9e261f6c01678a9d3abf5cd52542d8550d69ada7d62eef

  • SSDEEP

    384:/TNUFewBPnrm+zmD+aC+EA33nDQKXhFlzQKXCFlmEvJrIRtDr4EYs81fp:/oPybiqXDQKQMEviTsEA1f

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed440cbe1c8f604cc3595b91d0c442148e51dcff578f216237b2a626fc7df3f5.exe
    "C:\Users\Admin\AppData\Local\Temp\ed440cbe1c8f604cc3595b91d0c442148e51dcff578f216237b2a626fc7df3f5.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5080
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SE.bat" 0"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4092
      • C:\Windows\SysWOW64\attrib.exe
        attrib -r C:\Windows\system32\drivers\etc\hosts
        3⤵
        • Views/modifies file attributes
        PID:2208
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SL.bat" 0"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2112
      • C:\Windows\SysWOW64\attrib.exe
        attrib +r C:\Windows\system32\drivers\etc\hosts
        3⤵
        • Views/modifies file attributes
        PID:2148

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\SE.bat
    Filesize

    49B

    MD5

    d013cc282f8c7dd36aa46b9db97f14ca

    SHA1

    1d6d23a62127302e4a6409aaa45902186bccf552

    SHA256

    46eec18440b6879e3271fb55049330c6c33a89131a0d4bd57631e4633d1d59d0

    SHA512

    c171985b9aa7dcb19590e5c40c4512a02776afb67abfc1b984112a5ce6e3a0ad6db61ea3851dbf2b6f5f0ad0495b4b9c33015bfc68a9bb16b46c40c6363705e6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\SL.bat
    Filesize

    49B

    MD5

    e271e0a233b644da15be208de2a9aae1

    SHA1

    732d068d81bcdf50709be42245264e3c0b7670e8

    SHA256

    19951fc879d9c1ca5b53d0451539ec2e5bbdaa6cc3dada46194aded4cc1b8054

    SHA512

    edc34083fadcdc9d1b78696b60faa40f75ef7f0f53ee1cd523b87005267f217d00171a13ae9308c42efdaf19e90c1d6526342ceb9a4dedefeeb0d59f2b5f0473

    Download Submit

  • memory/5080-132-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5080-139-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download