Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/10/2022, 20:00

General

  • Target

    8c79f64eb0802fac12f30aa53a832d06d0327304c9cd14005e1ab1e3e439b689.exe

  • Size

    352KB

  • MD5

    006543effb858695f39ddc4522460500

  • SHA1

    f412cd02efef2d83e774b13b13c4771a83f13e8d

  • SHA256

    8c79f64eb0802fac12f30aa53a832d06d0327304c9cd14005e1ab1e3e439b689

  • SHA512

    9c0ba9ff79e059addf698b2e91a5f12855adc09a836c9e92fc4f564f4b55d57fd484f629d599e98f43c1ce3025147b0ee6372d815acbd3fa2f724607243a8cd6

  • SSDEEP

    6144:FrvdwMXe0Ho9yCIqP2q+3MhWDIhuZ1qD70HWWWCWWW+/85/8LDg:Fjbez9yCI62lbgU/85/8L

Score
8/10

Malware Config

Signatures

  • ASPack v2.12-2.42 2 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c79f64eb0802fac12f30aa53a832d06d0327304c9cd14005e1ab1e3e439b689.exe
    "C:\Users\Admin\AppData\Local\Temp\8c79f64eb0802fac12f30aa53a832d06d0327304c9cd14005e1ab1e3e439b689.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Users\Admin\AppData\Local\Temp\VUpNzsbl.exe
      C:\Users\Admin\AppData\Local\Temp\VUpNzsbl.exe
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:4888
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\55985bd2.bat" "
        3⤵
          PID:2364

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\55985bd2.bat

      Filesize

      191B

      MD5

      761d1a5d4a6f2d58352eadb14da390a4

      SHA1

      3724cbcc30c4646de53ff14ff61e4308d925d4f5

      SHA256

      478a1176e300d442bac65e5312a894ea3285eccbfc2163631d7171461610304a

      SHA512

      4789a07a1ad20594b43a42eceab19286f0f6db50ae896c8ebb4c47414d47a96dc6ad7b6facb4c9517c2f70fedcb1df4d9e246641384ea6a55eaa822c897217d1

    • C:\Users\Admin\AppData\Local\Temp\VUpNzsbl.exe

      Filesize

      15KB

      MD5

      56b2c3810dba2e939a8bb9fa36d3cf96

      SHA1

      99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

      SHA256

      4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

      SHA512

      27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

    • C:\Users\Admin\AppData\Local\Temp\VUpNzsbl.exe

      Filesize

      15KB

      MD5

      56b2c3810dba2e939a8bb9fa36d3cf96

      SHA1

      99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

      SHA256

      4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

      SHA512

      27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

    • memory/1200-132-0x0000000000400000-0x0000000000461000-memory.dmp

      Filesize

      388KB

    • memory/1200-137-0x0000000000400000-0x0000000000461000-memory.dmp

      Filesize

      388KB

    • memory/4888-136-0x0000000000A20000-0x0000000000A29000-memory.dmp

      Filesize

      36KB

    • memory/4888-139-0x0000000000A20000-0x0000000000A29000-memory.dmp

      Filesize

      36KB