Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2022, 15:34
Static task
static1
Behavioral task
behavioral1
Sample
eaafb7915450bb43dc6d6227b6761f2f5dea9b632443f4bcf2efebed874f5da7.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
eaafb7915450bb43dc6d6227b6761f2f5dea9b632443f4bcf2efebed874f5da7.exe
Resource
win10v2004-20220812-en
General
-
Target
eaafb7915450bb43dc6d6227b6761f2f5dea9b632443f4bcf2efebed874f5da7.exe
-
Size
25KB
-
MD5
a08a0aa983e1c95c1b72394fd1b18e70
-
SHA1
58c3b51ccdb1aac67d09443e28a52b6f24bb7e52
-
SHA256
eaafb7915450bb43dc6d6227b6761f2f5dea9b632443f4bcf2efebed874f5da7
-
SHA512
968e1fc119ac2aa96067de653115d2f9c301e53e034b37ea5dfcbafbc789acb4155ac8f48aa5561df06c15cca24b564d851a9f29668205fc26a8ed890082f2fd
-
SSDEEP
768:DS7nh4aQC9xkV1tdgI2MyzNORQtOflIwoHNV2XBFV72B4lA7ZsUI+/V:DS7nK8eztdgI2MyzNORQtOflIwoHNV2u
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4580 ffengh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation eaafb7915450bb43dc6d6227b6761f2f5dea9b632443f4bcf2efebed874f5da7.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation ffengh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5012 wrote to memory of 4580 5012 eaafb7915450bb43dc6d6227b6761f2f5dea9b632443f4bcf2efebed874f5da7.exe 80 PID 5012 wrote to memory of 4580 5012 eaafb7915450bb43dc6d6227b6761f2f5dea9b632443f4bcf2efebed874f5da7.exe 80 PID 5012 wrote to memory of 4580 5012 eaafb7915450bb43dc6d6227b6761f2f5dea9b632443f4bcf2efebed874f5da7.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\eaafb7915450bb43dc6d6227b6761f2f5dea9b632443f4bcf2efebed874f5da7.exe"C:\Users\Admin\AppData\Local\Temp\eaafb7915450bb43dc6d6227b6761f2f5dea9b632443f4bcf2efebed874f5da7.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Users\Admin\AppData\Local\Temp\ffengh.exe"C:\Users\Admin\AppData\Local\Temp\ffengh.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
PID:4580
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25KB
MD5786ca66a1428c854056c1685f2936fac
SHA1524e6d4ba2953f96e2acf8705cbc466a16a83c71
SHA2569feece5140f270b3bf6bdd05fc2b34304af238ad15f2b4e4014441428f65eb8c
SHA512138d2abdf8e1c822865cef7b0a45f49c64542e3cef78533fecde6a243b350b4608df620828e2b02b8b07d4f1c751826e88d84886fc9a36e3b86f16a6fb25a0d8
-
Filesize
25KB
MD5786ca66a1428c854056c1685f2936fac
SHA1524e6d4ba2953f96e2acf8705cbc466a16a83c71
SHA2569feece5140f270b3bf6bdd05fc2b34304af238ad15f2b4e4014441428f65eb8c
SHA512138d2abdf8e1c822865cef7b0a45f49c64542e3cef78533fecde6a243b350b4608df620828e2b02b8b07d4f1c751826e88d84886fc9a36e3b86f16a6fb25a0d8