Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
182s -
max time network
194s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2022, 19:32
Static task
static1
Behavioral task
behavioral1
Sample
c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe
Resource
win10v2004-20220812-en
General
-
Target
c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe
-
Size
135KB
-
MD5
965e6792655c4854a820cf27e7748710
-
SHA1
11434d0edc67382f2887e6e470b8ea2b9aa4de13
-
SHA256
c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e
-
SHA512
bd5d299311f93b7da822b0720147962ddc4277c65c0bd6e885de51b94a801f7474174a581b9d6f0af3208dd4be4d2b5d2c62f98607f7d39c9fcf6b8634ed330d
-
SSDEEP
3072:nL/Kd9XnJ4OXwHlt8qQg3Oi1OXvtWxepexZKj5tCYTK:WhJZYlgvtWepexZEK
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1520 Taskngr.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe -
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ck2ZkFjuexVzhT.exe Taskngr.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ck2ZkFjuexVzhT.exe c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ck2ZkFjuexVzhT.exe c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ck2ZkFjuexVzhT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe" c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ck2ZkFjuexVzhT = "C:\\Users\\Admin\\AppData\\Roaming\\Taskngr.exe" Taskngr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe 1520 Taskngr.exe 1520 Taskngr.exe 1520 Taskngr.exe 1520 Taskngr.exe 1520 Taskngr.exe 1520 Taskngr.exe 1520 Taskngr.exe 1520 Taskngr.exe 1520 Taskngr.exe 1520 Taskngr.exe 1520 Taskngr.exe 1520 Taskngr.exe 1520 Taskngr.exe 1520 Taskngr.exe 1520 Taskngr.exe 1520 Taskngr.exe 1520 Taskngr.exe 1520 Taskngr.exe 1520 Taskngr.exe 1520 Taskngr.exe 1520 Taskngr.exe 1520 Taskngr.exe 1520 Taskngr.exe 1520 Taskngr.exe 1520 Taskngr.exe 1520 Taskngr.exe 1520 Taskngr.exe 1520 Taskngr.exe 1520 Taskngr.exe 1520 Taskngr.exe 1520 Taskngr.exe 1520 Taskngr.exe 1520 Taskngr.exe 1520 Taskngr.exe 1520 Taskngr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1520 Taskngr.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe Token: SeDebugPrivilege 1520 Taskngr.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe 1520 Taskngr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe 1520 Taskngr.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4032 wrote to memory of 1520 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe 83 PID 4032 wrote to memory of 1520 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe 83 PID 4032 wrote to memory of 1520 4032 c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe"C:\Users\Admin\AppData\Local\Temp\c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Users\Admin\AppData\Roaming\Taskngr.exe"C:\Users\Admin\AppData\Roaming\Taskngr.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1520
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD5965e6792655c4854a820cf27e7748710
SHA111434d0edc67382f2887e6e470b8ea2b9aa4de13
SHA256c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e
SHA512bd5d299311f93b7da822b0720147962ddc4277c65c0bd6e885de51b94a801f7474174a581b9d6f0af3208dd4be4d2b5d2c62f98607f7d39c9fcf6b8634ed330d
-
Filesize
135KB
MD5965e6792655c4854a820cf27e7748710
SHA111434d0edc67382f2887e6e470b8ea2b9aa4de13
SHA256c981b63a4499bf9dbb00eb776f73535488893d131d06e4def2da070e10d8128e
SHA512bd5d299311f93b7da822b0720147962ddc4277c65c0bd6e885de51b94a801f7474174a581b9d6f0af3208dd4be4d2b5d2c62f98607f7d39c9fcf6b8634ed330d