Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

f5ffd8ba97...2f.exe

windows7-x64

10

f5ffd8ba97...2f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    173s
  • max time network
    172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/10/2022, 23:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f5ffd8ba975a1fc90bf2a5eb896b5679849a8649e4c5adf03c6c79a311561f2f.exe

  • Size

    240KB

  • MD5

    93c36d046d631942a2c2e787b1cb495e

  • SHA1

    ace2a91de64b94a08c665e51d2ab71423fc23b98

  • SHA256

    f5ffd8ba975a1fc90bf2a5eb896b5679849a8649e4c5adf03c6c79a311561f2f

  • SHA512

    415fa35558a30a16e28484cee430b39f39cc6b0fc625de8cba8223fa50d433568acaa43482949ad5cee27ff6358fef9c31e471b1bcf0653b665850c18f893cff

  • SSDEEP

    6144:Ce3dwqsNTNEXGlQRayEqxF6snji81RUinKq3aEEDliDA3:CMdQKj3aEEwE

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5ffd8ba975a1fc90bf2a5eb896b5679849a8649e4c5adf03c6c79a311561f2f.exe
    "C:\Users\Admin\AppData\Local\Temp\f5ffd8ba975a1fc90bf2a5eb896b5679849a8649e4c5adf03c6c79a311561f2f.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4932
    • C:\Users\Admin\xhlij.exe
      "C:\Users\Admin\xhlij.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:5056

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\xhlij.exe
    Filesize

    240KB

    MD5

    27b4b48daef79cfd71cef1f4bb7eeef8

    SHA1

    a2c651bd9f443b8077ae71e33f80c8070f9119ad

    SHA256

    80b3f7c87e1a8d182c04d3a77368a4504e625435629428313b3174246905f00e

    SHA512

    7643cfcf5bbaa0e76e957c01eb14ebefe0ec1d7fe1d792bd58a07d17b6ad44c984caa74e266ce54a2e4bfb80e4f8ab57debe61831a8f0b241dfd06bcc91f6fa4

    Download Submit

  • C:\Users\Admin\xhlij.exe
    Filesize

    240KB

    MD5

    27b4b48daef79cfd71cef1f4bb7eeef8

    SHA1

    a2c651bd9f443b8077ae71e33f80c8070f9119ad

    SHA256

    80b3f7c87e1a8d182c04d3a77368a4504e625435629428313b3174246905f00e

    SHA512

    7643cfcf5bbaa0e76e957c01eb14ebefe0ec1d7fe1d792bd58a07d17b6ad44c984caa74e266ce54a2e4bfb80e4f8ab57debe61831a8f0b241dfd06bcc91f6fa4

    Download Submit