Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
30s -
max time network
57s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2022, 22:13
Static task
static1
Behavioral task
behavioral1
Sample
da1cfb8b31e9e48f2dc9c4b59b8009cff044e4351805312262b9c56561476edc.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
da1cfb8b31e9e48f2dc9c4b59b8009cff044e4351805312262b9c56561476edc.exe
Resource
win10v2004-20220812-en
General
-
Target
da1cfb8b31e9e48f2dc9c4b59b8009cff044e4351805312262b9c56561476edc.exe
-
Size
1.5MB
-
MD5
0d63a26c1e9bd7f7b5aa31df64030ce3
-
SHA1
fc93d332dfdb99337b9fdc28895adf1bfa46aa62
-
SHA256
da1cfb8b31e9e48f2dc9c4b59b8009cff044e4351805312262b9c56561476edc
-
SHA512
cb4247469fbcf3a208e5afc9cdb41f7a7047ed1eb69a178fea40c17ae80f64bb6e06c6da92c4f3196486fc149096b978e6a1e1e14bfbbd9ab7832510b8b53216
-
SSDEEP
24576:3RmJkcoQricOIQxiZY1ialMai6Ro1s8JyfsOqa6tBkazn572zqto4L+rXgWm:8JZoQrbTFZY1ialMaiNFyfsOlc95Ikom
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/2076-139-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral2/memory/2076-142-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral2/memory/2076-141-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral2/memory/2076-147-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral2/memory/2808-150-0x0000000001610000-0x000000000171E000-memory.dmp upx behavioral2/memory/2808-153-0x0000000001610000-0x000000000171E000-memory.dmp upx behavioral2/memory/2808-155-0x0000000001610000-0x000000000171E000-memory.dmp upx behavioral2/memory/2808-157-0x0000000001610000-0x000000000171E000-memory.dmp upx behavioral2/memory/2808-156-0x0000000001610000-0x000000000171E000-memory.dmp upx behavioral2/memory/2808-151-0x0000000001610000-0x000000000171E000-memory.dmp upx behavioral2/memory/2808-149-0x0000000001610000-0x000000000171E000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1984 da1cfb8b31e9e48f2dc9c4b59b8009cff044e4351805312262b9c56561476edc.exe 1984 da1cfb8b31e9e48f2dc9c4b59b8009cff044e4351805312262b9c56561476edc.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1984 da1cfb8b31e9e48f2dc9c4b59b8009cff044e4351805312262b9c56561476edc.exe 1984 da1cfb8b31e9e48f2dc9c4b59b8009cff044e4351805312262b9c56561476edc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\da1cfb8b31e9e48f2dc9c4b59b8009cff044e4351805312262b9c56561476edc.exe"C:\Users\Admin\AppData\Local\Temp\da1cfb8b31e9e48f2dc9c4b59b8009cff044e4351805312262b9c56561476edc.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\da1cfb8b31e9e48f2dc9c4b59b8009cff044e4351805312262b9c56561476edc.exe"C:\Users\Admin\AppData\Local\Temp\da1cfb8b31e9e48f2dc9c4b59b8009cff044e4351805312262b9c56561476edc.exe" /AutoIt3ExecuteScript C:\Users\Admin\AppData\Local\Temp\hRJchVhUf2⤵PID:4396
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"3⤵PID:4980
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe4⤵PID:2808
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"3⤵PID:2076
-
C:\Windows\SysWOW64\cmd.execmd /c del /q /f %temp%\*.lnk4⤵PID:2512
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD5fe3c4b9fd86d85978b424e368085738b
SHA159b92a8f0662f9d6b109ef425ba50c3aecca940d
SHA2567cb4dd1ac9bda99ea62d653d5ebfab13b3e1a13af9cd96a7e873ee6ed65517f0
SHA512351e9e4016c705ec4e591ca21d7955eaa42f5f70618a3d180ea7ae16e7219aa15be21b88353410c31ae93165f62563d6238c9d90d880bb1c02dfbf54f4a139c1
-
Filesize
2B
MD593e00066d099c0485cfffa1359246d26
SHA1bc69a773f37b2f2071e25f755a66d47b871e5d98
SHA2563b271649a94ad5be4ef46ecbb6a4e7363e8498b7e69b751737bf30df2e0d1dde
SHA512d3dfe508cacae7d36f13908134b5b438b87429fcf93ccb060bcfa346c04633a99e9ca497297418c969537be1da2405171982794055dd0f52e59a82720d3b3d02
-
Filesize
3KB
MD55fae023d0f4d9d94bcdbf6b5581a71ca
SHA1b6569e50b87b53c912430e8fe1dc1eda4192053e
SHA2561ff222637a9ef5c034bba5747b119bba0b7635aaf308832d2410d83b89f07ea2
SHA51297718df3e5f51d20966e4682bcd3ec29b43deafa912b46977197d51e55a1a34431f601462d658e58f5b6057e6708315b38f3a7432494ba8b0dbac31471b90b1c