Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29/10/2022, 20:43
Static task
static1
Behavioral task
behavioral1
Sample
293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe
Resource
win10v2004-20220901-en
General
-
Target
293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe
-
Size
629KB
-
MD5
5a30808ccc39d0b175aa926a68aa5150
-
SHA1
7ea82e73a32bbb478c235fe3a637daf941883a6c
-
SHA256
293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35
-
SHA512
0d51c2cadbf386a49f1cc6d66d49cd7056b51b741fcd553589119b7c75629323123d389ab7e2f469185fd1a3700119d8d94fe526eafaaad0ac60c670944a255c
-
SSDEEP
12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 4936 qyrewyy.exe 4192 ~DFA236.tmp 3460 ceibdey.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation ~DFA236.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe 3460 ceibdey.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4192 ~DFA236.tmp -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4152 wrote to memory of 4936 4152 293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe 82 PID 4152 wrote to memory of 4936 4152 293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe 82 PID 4152 wrote to memory of 4936 4152 293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe 82 PID 4936 wrote to memory of 4192 4936 qyrewyy.exe 83 PID 4936 wrote to memory of 4192 4936 qyrewyy.exe 83 PID 4936 wrote to memory of 4192 4936 qyrewyy.exe 83 PID 4152 wrote to memory of 4800 4152 293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe 84 PID 4152 wrote to memory of 4800 4152 293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe 84 PID 4152 wrote to memory of 4800 4152 293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe 84 PID 4192 wrote to memory of 3460 4192 ~DFA236.tmp 93 PID 4192 wrote to memory of 3460 4192 ~DFA236.tmp 93 PID 4192 wrote to memory of 3460 4192 ~DFA236.tmp 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe"C:\Users\Admin\AppData\Local\Temp\293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Users\Admin\AppData\Local\Temp\qyrewyy.exeC:\Users\Admin\AppData\Local\Temp\qyrewyy.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Users\Admin\AppData\Local\Temp\~DFA236.tmpC:\Users\Admin\AppData\Local\Temp\~DFA236.tmp OK3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Users\Admin\AppData\Local\Temp\ceibdey.exe"C:\Users\Admin\AppData\Local\Temp\ceibdey.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3460
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "2⤵PID:4800
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
341B
MD5cb0415465b0696c0ea73c957e6388001
SHA150e15d3a56d1ed904c4cc003395ebf2b038b639f
SHA256c0f5535107b1519a52e18ded33678c7fffa16e421c34385c794cb437afd3b530
SHA5128b9db40d8eaaffbb90f1ca2e02e275041c43267268f095b30d0f9d0f5233ecf83a85a96ad4246dfcc68514f35e682e4810e3e80d0aa5e48e8d7e16a12e175582
-
Filesize
394KB
MD5241dcbd5eb7023e67d405dda78602bb0
SHA1d43eb05b0293e63b5ac0a2f8789d5d522a0536ba
SHA2563850dcd371fd38af360bb1b4f468a34cb97f661613672ad91b035a74d75381fc
SHA512c487ac2c40b9bd3c6e282ecc62fc8a1565361f141663d571851482c248afb9e7be63dda8f6230b2e3d098cd2c04aba4b303a0bef8cfa9fe129ac504db15e2fd6
-
Filesize
394KB
MD5241dcbd5eb7023e67d405dda78602bb0
SHA1d43eb05b0293e63b5ac0a2f8789d5d522a0536ba
SHA2563850dcd371fd38af360bb1b4f468a34cb97f661613672ad91b035a74d75381fc
SHA512c487ac2c40b9bd3c6e282ecc62fc8a1565361f141663d571851482c248afb9e7be63dda8f6230b2e3d098cd2c04aba4b303a0bef8cfa9fe129ac504db15e2fd6
-
Filesize
104B
MD586bb2dbeaef655893262f3c041f6afe2
SHA11b26ff1241c1353bd506c18bd0c11878076ba65d
SHA2564a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2
SHA51258294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31
-
Filesize
480B
MD54cff526c2d9491dda6a847ae77610294
SHA181bc49c0dca8f2aa74ed94cc4fb91bda6eb8a50d
SHA256ff2c4f3d927da535358f59dfd3bf18e0c0f3253c2cdbaf238570732b43cd00cf
SHA512a04a134fa17f8dd579795139a83ae8babf534066236ae95512f31017fcdf3736300f1272add40067cbe8545ee75e1a68cef1111c60ffa9877018420321b05c51
-
Filesize
634KB
MD55cfc0864a372caf7faf2b992620e5e38
SHA184c944a28767f2f5d65897c03b24096a31d0ffaf
SHA2561d05e0c262aea10b127cae146f0f975ec70030bd8eb6352d286757fab72a39dd
SHA512509a9486d59fae623b70feb6e1a04993489be4ea80f53aea5494bb4cbc6127dfc6823c4af0ddef0faedc375759c2ec763a25646883a79f4fcb3b1158e120f771
-
Filesize
634KB
MD55cfc0864a372caf7faf2b992620e5e38
SHA184c944a28767f2f5d65897c03b24096a31d0ffaf
SHA2561d05e0c262aea10b127cae146f0f975ec70030bd8eb6352d286757fab72a39dd
SHA512509a9486d59fae623b70feb6e1a04993489be4ea80f53aea5494bb4cbc6127dfc6823c4af0ddef0faedc375759c2ec763a25646883a79f4fcb3b1158e120f771
-
Filesize
641KB
MD5dd4f6df4fc32f95cb939a39357e69505
SHA120a8329992e4f8b661350603226662c90bc8eaed
SHA25600f938cb462460ded6c01363a484be6d279c305b74e58530007de53e845d052c
SHA512bd13b06895ba4deb0ed980460bf5c92865aa104db8ae7214931c32fdb6196d8b59ebec32864fe9c0f43dc9d6733575031bc02875edc2a746ce53489b089b5eec
-
Filesize
641KB
MD5dd4f6df4fc32f95cb939a39357e69505
SHA120a8329992e4f8b661350603226662c90bc8eaed
SHA25600f938cb462460ded6c01363a484be6d279c305b74e58530007de53e845d052c
SHA512bd13b06895ba4deb0ed980460bf5c92865aa104db8ae7214931c32fdb6196d8b59ebec32864fe9c0f43dc9d6733575031bc02875edc2a746ce53489b089b5eec