Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
175s -
max time network
215s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
21/10/2022, 02:11
General
-
Target
1ed8a4f921341747b78449aee8152fc337d83e9d0aa0198e0b9f32a873a57571.exe
-
Size
148KB
-
MD5
5d7b79d93d1490a8bb0766f5fe14b9e0
-
SHA1
6724e23a53061dae97ca19813de3a2b19e53127a
-
SHA256
1ed8a4f921341747b78449aee8152fc337d83e9d0aa0198e0b9f32a873a57571
-
SHA512
69ed380aa757802b6324b76a15c419f06e6a657bfba4d72172bd2c0894d7dc5d8e30c1b5d414d1da263ebd5ec2233e7edf3839dc18ec7d1206ace3ada6234b02
-
SSDEEP
3072:o3A5lgVnQ7GsRwNqmAlITlU4Q+SparIKxOXD2hR:o8GsOFA+o+SpEIKxOT
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ed8a4f921341747b78449aee8152fc337d83e9d0aa0198e0b9f32a873a57571.exe"C:\Users\Admin\AppData\Local\Temp\1ed8a4f921341747b78449aee8152fc337d83e9d0aa0198e0b9f32a873a57571.exe"1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 1ed8a4f921341747b78449aee8152fc3372⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-