Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

592ee7b0dd...a8.exe

windows7-x64

7

592ee7b0dd...a8.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    129s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/10/2022, 13:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    592ee7b0ddb4df10594e89695a274612073ea1001cdc5f4bc35392e6797f71a8.exe

  • Size

    850KB

  • MD5

    ef23ad78508950e75894b846d1327c2b

  • SHA1

    b5e3e1f9a3c157361621ecb3a0bfcd48234a9f7f

  • SHA256

    592ee7b0ddb4df10594e89695a274612073ea1001cdc5f4bc35392e6797f71a8

  • SHA512

    0e8c600555defff949bde69c7e3129e06b2e8efe56cbef6da767b778107b5bddb899379d8705ae79b86c5cc899c2cc8e904a1f993ba111e38864d0e73bc51455

  • SSDEEP

    12288:Dr6JiSK2mXyP85SqM5mZ67l03Tq/wiIzy4PdCmvpeqz8/9tRatjSmphL2VPifd:n6UzdyP267C3T4eZ5kqQ9jatnhL20d

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\592ee7b0ddb4df10594e89695a274612073ea1001cdc5f4bc35392e6797f71a8.exe
    "C:\Users\Admin\AppData\Local\Temp\592ee7b0ddb4df10594e89695a274612073ea1001cdc5f4bc35392e6797f71a8.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RarSFX0\5Clicks.msi"
      2⤵
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2196
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 6CCBFB33D67AA58584E380507A9304E1 C
      2⤵
      • Loads dropped DLL
      PID:1104

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MSI96A7.tmp
    Filesize

    89KB

    MD5

    cfec418f8bfdf45320905174ac6160f4

    SHA1

    e5f5ca88cbbe009573fec7959faee5a3f7c352f9

    SHA256

    aa1b7bcd853f8b191457f3f7744bdd73dbfda33e91c14d905ae59ef813d0a7ae

    SHA512

    8b92aa43c7ec7b186c71a755b7f8783ab5e7693955bc77fb49477afc0b93f933ee826366e606273bb145edf2308c59a05e8ee4cd43bd6a021cf8985fcd0c426e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSI96A7.tmp
    Filesize

    89KB

    MD5

    cfec418f8bfdf45320905174ac6160f4

    SHA1

    e5f5ca88cbbe009573fec7959faee5a3f7c352f9

    SHA256

    aa1b7bcd853f8b191457f3f7744bdd73dbfda33e91c14d905ae59ef813d0a7ae

    SHA512

    8b92aa43c7ec7b186c71a755b7f8783ab5e7693955bc77fb49477afc0b93f933ee826366e606273bb145edf2308c59a05e8ee4cd43bd6a021cf8985fcd0c426e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSI9773.tmp
    Filesize

    89KB

    MD5

    cfec418f8bfdf45320905174ac6160f4

    SHA1

    e5f5ca88cbbe009573fec7959faee5a3f7c352f9

    SHA256

    aa1b7bcd853f8b191457f3f7744bdd73dbfda33e91c14d905ae59ef813d0a7ae

    SHA512

    8b92aa43c7ec7b186c71a755b7f8783ab5e7693955bc77fb49477afc0b93f933ee826366e606273bb145edf2308c59a05e8ee4cd43bd6a021cf8985fcd0c426e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSI9773.tmp
    Filesize

    89KB

    MD5

    cfec418f8bfdf45320905174ac6160f4

    SHA1

    e5f5ca88cbbe009573fec7959faee5a3f7c352f9

    SHA256

    aa1b7bcd853f8b191457f3f7744bdd73dbfda33e91c14d905ae59ef813d0a7ae

    SHA512

    8b92aa43c7ec7b186c71a755b7f8783ab5e7693955bc77fb49477afc0b93f933ee826366e606273bb145edf2308c59a05e8ee4cd43bd6a021cf8985fcd0c426e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSI991A.tmp
    Filesize

    89KB

    MD5

    cfec418f8bfdf45320905174ac6160f4

    SHA1

    e5f5ca88cbbe009573fec7959faee5a3f7c352f9

    SHA256

    aa1b7bcd853f8b191457f3f7744bdd73dbfda33e91c14d905ae59ef813d0a7ae

    SHA512

    8b92aa43c7ec7b186c71a755b7f8783ab5e7693955bc77fb49477afc0b93f933ee826366e606273bb145edf2308c59a05e8ee4cd43bd6a021cf8985fcd0c426e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSI991A.tmp
    Filesize

    89KB

    MD5

    cfec418f8bfdf45320905174ac6160f4

    SHA1

    e5f5ca88cbbe009573fec7959faee5a3f7c352f9

    SHA256

    aa1b7bcd853f8b191457f3f7744bdd73dbfda33e91c14d905ae59ef813d0a7ae

    SHA512

    8b92aa43c7ec7b186c71a755b7f8783ab5e7693955bc77fb49477afc0b93f933ee826366e606273bb145edf2308c59a05e8ee4cd43bd6a021cf8985fcd0c426e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\5Clicks.msi
    Filesize

    885KB

    MD5

    72686ffebb8293df523f35078d94f47d

    SHA1

    ce43b0c9b29d6cad1db242399846b1ae27ba5a8d

    SHA256

    957ea0b94d928ecb0b111d2c2b9c1d88d58a98d28b7d3f6f192d60d9295b8d15

    SHA512

    e7120247bb547f1b912130b433ba514d3ff507b3f732c01e2c657f9f6b9b4c1c22802343eff00cae8273d0551e7ced34efc2cfd8bd4eb5d0c7ca73220749782a

    Download Submit