Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2022, 17:23
Static task
static1
Behavioral task
behavioral1
Sample
effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658.exe
Resource
win10v2004-20220812-en
General
-
Target
effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658.exe
-
Size
648KB
-
MD5
a069d7bf37f77e2f29243cad9a481db0
-
SHA1
c67c18b9e200146572a0f923b3cc1fe0c1a8d53f
-
SHA256
effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658
-
SHA512
6beb78f47e8ee6b4d07fc9a3e92078dce6cd78a4dfd92c46d96d56906cbdedf1dddd24d5f8dc8ebdfc0dd84bfdf578ddb81955468395e1b570b6f96073da2d64
-
SSDEEP
12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 5016 atgok.exe 4900 ~DFA241.tmp 5028 fudur.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation ~DFA241.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
pid Process 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe 5028 fudur.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4900 ~DFA241.tmp -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 312 wrote to memory of 5016 312 effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658.exe 81 PID 312 wrote to memory of 5016 312 effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658.exe 81 PID 312 wrote to memory of 5016 312 effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658.exe 81 PID 5016 wrote to memory of 4900 5016 atgok.exe 82 PID 5016 wrote to memory of 4900 5016 atgok.exe 82 PID 5016 wrote to memory of 4900 5016 atgok.exe 82 PID 312 wrote to memory of 368 312 effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658.exe 83 PID 312 wrote to memory of 368 312 effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658.exe 83 PID 312 wrote to memory of 368 312 effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658.exe 83 PID 4900 wrote to memory of 5028 4900 ~DFA241.tmp 93 PID 4900 wrote to memory of 5028 4900 ~DFA241.tmp 93 PID 4900 wrote to memory of 5028 4900 ~DFA241.tmp 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658.exe"C:\Users\Admin\AppData\Local\Temp\effea44345ec783588f9c76873b7479e44a56a97eabfae6cd227fade90185658.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:312 -
C:\Users\Admin\AppData\Local\Temp\atgok.exeC:\Users\Admin\AppData\Local\Temp\atgok.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Users\Admin\AppData\Local\Temp\~DFA241.tmpC:\Users\Admin\AppData\Local\Temp\~DFA241.tmp OK3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Users\Admin\AppData\Local\Temp\fudur.exe"C:\Users\Admin\AppData\Local\Temp\fudur.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5028
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "2⤵PID:368
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
341B
MD5a603eae6eda0725cd90dc7b16ad56742
SHA1e2c427ac4d2c4e9077c2fe135971ae4ef22ffb22
SHA2561b4037e601043eca8b7a16f2dbeb494d80bf08257708c3ab3277e1a126e5ab72
SHA5123cc35903fa993469beafb0e6e8dc2cd073710d323cba6298f7cc2f0d078de52d54a6e9504966c3c1f8daa32a90fb03a5649f1f7f956bd46c84f2b21d81536259
-
Filesize
654KB
MD573797fd8a2877be268ef6d1c7072d9f6
SHA1065b1c421cd3970f0b0ad59ce8030214670e84d3
SHA256be34663ae6d2c4fa5b6860514abbe01cc4013d4c5072b028d51a18109e60063c
SHA5120c1ef047f22645f8c44609753ac716c54bfe48de112960a51c26478f92456aa0876ae66dd0e3da7b2f998bfef45634fa414e0c346a7284e9c67c622963f980be
-
Filesize
654KB
MD573797fd8a2877be268ef6d1c7072d9f6
SHA1065b1c421cd3970f0b0ad59ce8030214670e84d3
SHA256be34663ae6d2c4fa5b6860514abbe01cc4013d4c5072b028d51a18109e60063c
SHA5120c1ef047f22645f8c44609753ac716c54bfe48de112960a51c26478f92456aa0876ae66dd0e3da7b2f998bfef45634fa414e0c346a7284e9c67c622963f980be
-
Filesize
388KB
MD5402c172d48d96f318160bd04689e49c7
SHA1488f8e6743844a13b3864dcd41472549527a4254
SHA256dbfa992e28ef4655c7accc137c9072aa3315ddf61864f398a4d0aa84aa69c5a4
SHA51267b2ce7d3fe35b309319c796ade3420e279c903e429a8ae7d7b927497586544fc0ab74862ae33e6c3bc8d74948fa9c1945b5af4d530ba6ea2a1a91adc7fc9a3a
-
Filesize
388KB
MD5402c172d48d96f318160bd04689e49c7
SHA1488f8e6743844a13b3864dcd41472549527a4254
SHA256dbfa992e28ef4655c7accc137c9072aa3315ddf61864f398a4d0aa84aa69c5a4
SHA51267b2ce7d3fe35b309319c796ade3420e279c903e429a8ae7d7b927497586544fc0ab74862ae33e6c3bc8d74948fa9c1945b5af4d530ba6ea2a1a91adc7fc9a3a
-
Filesize
104B
MD586bb2dbeaef655893262f3c041f6afe2
SHA11b26ff1241c1353bd506c18bd0c11878076ba65d
SHA2564a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2
SHA51258294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31
-
Filesize
480B
MD5a355d3bc2c4a072515d900b407641903
SHA1b9a39b83a6337faa5db07063f18900a521d71442
SHA256ca7c3f5849c4c9644b287f7ebdc08c3e8aacda19cbb7eb5cc78c1184c0b6d5dd
SHA512b5be45bbfc7402c3f3659c696f9be32affa9bbfc55045cfbd709d36fbe228660826c6e86c6d6fa403fe8d14e9295f954b696e6b3e344fdcaa6d9921fdca6ce06
-
Filesize
661KB
MD5ac2748d85344b21ee78ad832cebc3f86
SHA1ff5d309886884fdabb86588927d763135f0ba3a9
SHA256519963c7e3e1f3dabfc554c0814bbdbfc2e3a260a63e484f6e7f2bd2166cc594
SHA51253569ae519dbf7bc26545096260da77703f22c5b1d8444d9101c4e6c069751da5de4ba6d7f8a2f589018705ba58a176adc971eec2fcc1483c834156de9c3adc7
-
Filesize
661KB
MD5ac2748d85344b21ee78ad832cebc3f86
SHA1ff5d309886884fdabb86588927d763135f0ba3a9
SHA256519963c7e3e1f3dabfc554c0814bbdbfc2e3a260a63e484f6e7f2bd2166cc594
SHA51253569ae519dbf7bc26545096260da77703f22c5b1d8444d9101c4e6c069751da5de4ba6d7f8a2f589018705ba58a176adc971eec2fcc1483c834156de9c3adc7