Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
20/10/2022, 10:15
General
-
Target
f93c68970d08981ed0bde3893da64482a88bce8d1587c085c0ed806e2a9d2470.exe
-
Size
140KB
-
MD5
8105ddb3424410d0976541ce8ccc1180
-
SHA1
9f8218beda4df48045eee3dde10eeba91ee98b8f
-
SHA256
f93c68970d08981ed0bde3893da64482a88bce8d1587c085c0ed806e2a9d2470
-
SHA512
85326db45adc72e144fa8b3a678bbdc9386fd3cabfd8973963652c5718a0c92f982bd8fb002b41f91bf519cc917e0eb2f2bf65de23289d74abcbb921e739a092
-
SSDEEP
3072:uu57vfo1bhEHcml4TlcKZukAIX09ZfUsHOQBRSc:uGvfkVE8ml4GK8iUfvR
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 29 IoCs
-
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f93c68970d08981ed0bde3893da64482a88bce8d1587c085c0ed806e2a9d2470.exe"C:\Users\Admin\AppData\Local\Temp\f93c68970d08981ed0bde3893da64482a88bce8d1587c085c0ed806e2a9d2470.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f93c68970d08981ed0bde3893da64482a88bce8d1587c085c0ed806e2a9d2470.exe"C:\Users\Admin\AppData\Local\Temp\f93c68970d08981ed0bde3893da64482a88bce8d1587c085c0ed806e2a9d2470.exe"782⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 65.52.0.0/14 0.0.0.03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 65.52.0.0/14 0.0.0.04⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 157.56.0.0/14 0.0.0.03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 157.56.0.0/14 0.0.0.04⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 157.60.0.0/16 0.0.0.03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 157.60.0.0/16 0.0.0.04⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 157.54.0.0/15 0.0.0.03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 157.54.0.0/15 0.0.0.04⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 216.239.32.0/19 0.0.0.03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 216.239.32.0/19 0.0.0.04⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 74.125.0.0/16 0.0.0.03⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 74.125.0.0/16 0.0.0.04⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 91.228.164.0/24 0.0.0.03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 91.228.164.0/24 0.0.0.04⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 91.228.165.0/24 0.0.0.03⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 91.228.165.0/24 0.0.0.04⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 91.228.166.0/24 0.0.0.03⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 91.228.166.0/24 0.0.0.04⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 91.228.167.0/24 0.0.0.03⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 91.228.167.0/24 0.0.0.04⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 72.32.0.0/16 0.0.0.03⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 72.32.0.0/16 0.0.0.04⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 46.4.0.0/16 0.0.0.03⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 46.4.0.0/16 0.0.0.04⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 67.15.0.0/16 0.0.0.03⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 67.15.0.0/16 0.0.0.04⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 77.234.40.0/24 0.0.0.03⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 77.234.40.0/24 0.0.0.04⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 95.211.0.0/16 0.0.0.03⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 95.211.0.0/16 0.0.0.04⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 195.122.128.0/18 0.0.0.03⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 195.122.128.0/18 0.0.0.04⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 85.12.0.0/18 0.0.0.03⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 85.12.0.0/18 0.0.0.04⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 195.27.0.0/16 0.0.0.03⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 195.27.0.0/16 0.0.0.04⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 62.128.100.0/23 0.0.0.03⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 62.128.100.0/23 0.0.0.04⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 161.69.0.0/16 0.0.0.03⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 161.69.0.0/16 0.0.0.04⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 58.27.64.0/18 0.0.0.03⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 58.27.64.0/18 0.0.0.04⤵
-
-
-
C:\Users\Admin\dgvuej.exe"C:\Users\Admin\dgvuej.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\dgvuej.exe"C:\Users\Admin\dgvuej.exe" 784⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Maps connected drives based on registry
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 65.52.0.0/14 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 65.52.0.0/14 0.0.0.06⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 157.56.0.0/14 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 157.56.0.0/14 0.0.0.06⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 157.60.0.0/16 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 157.60.0.0/16 0.0.0.06⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 157.54.0.0/15 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 157.54.0.0/15 0.0.0.06⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 216.239.32.0/19 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 216.239.32.0/19 0.0.0.06⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 74.125.0.0/16 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 74.125.0.0/16 0.0.0.06⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 91.228.164.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 91.228.164.0/24 0.0.0.06⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 91.228.165.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 91.228.165.0/24 0.0.0.06⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 91.228.166.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 91.228.166.0/24 0.0.0.06⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 91.228.167.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 91.228.167.0/24 0.0.0.06⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 72.32.0.0/16 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 72.32.0.0/16 0.0.0.06⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 46.4.0.0/16 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 46.4.0.0/16 0.0.0.06⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 67.15.0.0/16 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 67.15.0.0/16 0.0.0.06⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 77.234.40.0/24 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 77.234.40.0/24 0.0.0.06⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 95.211.0.0/16 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 95.211.0.0/16 0.0.0.06⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 195.122.128.0/18 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 195.122.128.0/18 0.0.0.06⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 195.27.0.0/16 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 195.27.0.0/16 0.0.0.06⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 85.12.0.0/18 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 85.12.0.0/18 0.0.0.06⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 62.128.100.0/23 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 62.128.100.0/23 0.0.0.06⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 161.69.0.0/16 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 161.69.0.0/16 0.0.0.06⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c route add 58.27.64.0/18 0.0.0.05⤵
-
C:\Windows\SysWOW64\ROUTE.EXEroute add 58.27.64.0/18 0.0.0.06⤵
-
-
-
-
-
C:\Windows\SysWOW64\PhotoScreensaver.scr"C:\Windows\System32\PhotoScreensaver.scr" /S3⤵
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
140KB
MD58105ddb3424410d0976541ce8ccc1180
SHA19f8218beda4df48045eee3dde10eeba91ee98b8f
SHA256f93c68970d08981ed0bde3893da64482a88bce8d1587c085c0ed806e2a9d2470
SHA51285326db45adc72e144fa8b3a678bbdc9386fd3cabfd8973963652c5718a0c92f982bd8fb002b41f91bf519cc917e0eb2f2bf65de23289d74abcbb921e739a092
-
Filesize
140KB
MD58105ddb3424410d0976541ce8ccc1180
SHA19f8218beda4df48045eee3dde10eeba91ee98b8f
SHA256f93c68970d08981ed0bde3893da64482a88bce8d1587c085c0ed806e2a9d2470
SHA51285326db45adc72e144fa8b3a678bbdc9386fd3cabfd8973963652c5718a0c92f982bd8fb002b41f91bf519cc917e0eb2f2bf65de23289d74abcbb921e739a092
-
Filesize
140KB
MD58105ddb3424410d0976541ce8ccc1180
SHA19f8218beda4df48045eee3dde10eeba91ee98b8f
SHA256f93c68970d08981ed0bde3893da64482a88bce8d1587c085c0ed806e2a9d2470
SHA51285326db45adc72e144fa8b3a678bbdc9386fd3cabfd8973963652c5718a0c92f982bd8fb002b41f91bf519cc917e0eb2f2bf65de23289d74abcbb921e739a092
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB