Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

dfc442a06b...c7.exe

windows7-x64

8

dfc442a06b...c7.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    83s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2022, 10:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dfc442a06bd3c1aa6a5d1edfb6fbf2c1372f527c0f02628940a98668e045eac7.exe

  • Size

    3.0MB

  • MD5

    a3acbd698ff32feb9a738fd573d042f5

  • SHA1

    c53627a065620b31fe91796b0293a46967787b48

  • SHA256

    dfc442a06bd3c1aa6a5d1edfb6fbf2c1372f527c0f02628940a98668e045eac7

  • SHA512

    d61378234d3b1c75d49f7c3adad7127ee8e36661608500ad458708929eff6924f545e9bdc1d0ef6c3737ae72fca960630aeb309e7bad3e5dac2949db6323379f

  • SSDEEP

    98304:7NQPOuvJmG889PIGgMh8m8XQYXAWveg+ldUmOD:+PA8WGlhbuPvC9G

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 64 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 28 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dfc442a06bd3c1aa6a5d1edfb6fbf2c1372f527c0f02628940a98668e045eac7.exe
    "C:\Users\Admin\AppData\Local\Temp\dfc442a06bd3c1aa6a5d1edfb6fbf2c1372f527c0f02628940a98668e045eac7.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1884
    • C:\Users\Admin\AppData\Local\temp\WebSaver\1666262021\dfc442a06bd3c1aa6a5d1edfb6fbf2c1372f527c0f02628940a98668e045eac7.exe
      C:\Users\Admin\AppData\Local\temp\\WebSaver\1666262021\\dfc442a06bd3c1aa6a5d1edfb6fbf2c1372f527c0f02628940a98668e045eac7.exe "C:\Users\Admin\AppData\Local\Temp\dfc442a06bd3c1aa6a5d1edfb6fbf2c1372f527c0f02628940a98668e045eac7.exe" 2040832 252104828
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1476
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\System32\regsvr32.exe" "C:\Users\Admin\AppData\Local\temp\WebSaver\1666262021\dmoffice.dll"
        3⤵
        • Loads dropped DLL
        • Modifies registry class
        PID:2948

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\WebSaver\1666262021\dfc442a06bd3c1aa6a5d1edfb6fbf2c1372f527c0f02628940a98668e045eac7.exe
    Filesize

    1.9MB

    MD5

    46476a54546d3187a212799b7adc4fc0

    SHA1

    252df7c036f3ec1922d253a5d6e8eb548e678db0

    SHA256

    a261b0e3eb976e5209f30ccf0be41bc9b708c184fd260dff4f7cc80ea601e71c

    SHA512

    ec1ea746e7d105db861cd0a39047e34c9ca588570939224371b4458cd5230b1445a2b0cc9ddf0d6f54196003ae47d1e8d35a3518c4fdd7dc98cb6fe1f1808905

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WebSaver\1666262021\dmoffice.dll
    Filesize

    115KB

    MD5

    34629672023f707eb7117c981e9c5d1d

    SHA1

    d9b8e3e7459d105c86fd9ca55461e121bc028d9f

    SHA256

    abfde2d27485e1e70b598711aaa24e3ae70e4782f991914d6a175ff3bbf0867d

    SHA512

    1c9ca8ac4bba76542ce5bb469b99d596cc2577b005aa3077aec31a6a441313d7f7720c856da5d4d1f0988fa56b1c8a27b52e8063a542aa897fd56eb084047877

    Download Submit

  • C:\Users\Admin\AppData\Local\temp\WebSaver\1666262021\dfc442a06bd3c1aa6a5d1edfb6fbf2c1372f527c0f02628940a98668e045eac7.exe
    Filesize

    1.9MB

    MD5

    46476a54546d3187a212799b7adc4fc0

    SHA1

    252df7c036f3ec1922d253a5d6e8eb548e678db0

    SHA256

    a261b0e3eb976e5209f30ccf0be41bc9b708c184fd260dff4f7cc80ea601e71c

    SHA512

    ec1ea746e7d105db861cd0a39047e34c9ca588570939224371b4458cd5230b1445a2b0cc9ddf0d6f54196003ae47d1e8d35a3518c4fdd7dc98cb6fe1f1808905

    Download Submit

  • C:\Users\Admin\AppData\Local\temp\WebSaver\1666262021\dmoffice.dll
    Filesize

    115KB

    MD5

    34629672023f707eb7117c981e9c5d1d

    SHA1

    d9b8e3e7459d105c86fd9ca55461e121bc028d9f

    SHA256

    abfde2d27485e1e70b598711aaa24e3ae70e4782f991914d6a175ff3bbf0867d

    SHA512

    1c9ca8ac4bba76542ce5bb469b99d596cc2577b005aa3077aec31a6a441313d7f7720c856da5d4d1f0988fa56b1c8a27b52e8063a542aa897fd56eb084047877

    Download Submit

  • memory/1476-135-0x0000000000400000-0x0000000000E86000-memory.dmp

    Filesize

    10.5MB

    Download

  • memory/1476-140-0x0000000000400000-0x0000000000E86000-memory.dmp

    Filesize

    10.5MB

    Download

  • memory/2948-139-0x0000000022000000-0x0000000022049000-memory.dmp

    Filesize

    292KB

    Download