Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    128s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2022, 22:47

General

  • Target

    3dc8b691b1f268d6203767a6b939238003e4088258c4571427f416fd34badf8d.exe

  • Size

    180KB

  • MD5

    9115faf686d84459574b7e3d9b439400

  • SHA1

    1dab6f4a159759b40e184b1ee6651678ab02fe9e

  • SHA256

    3dc8b691b1f268d6203767a6b939238003e4088258c4571427f416fd34badf8d

  • SHA512

    01466f300515e5a159c137da55d42d68aa366cc0f6d020b017b2d254046113bb4ea0bbdccdcab90bb2d4ee5cd90af2df63852e86bec8109098c71ff6a162c780

  • SSDEEP

    3072:95CsY9yCIoWQwhqQhwa8/g2+OoT271v95a0MYWhN+2ZegkxT/LgCbDUkCb/Z:hYsCSQUvhwa/avC+2axTEiDAbZ

Score
9/10

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs regedit.exe 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3dc8b691b1f268d6203767a6b939238003e4088258c4571427f416fd34badf8d.exe
    "C:\Users\Admin\AppData\Local\Temp\3dc8b691b1f268d6203767a6b939238003e4088258c4571427f416fd34badf8d.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2400
    • C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\System32\regedit.exe"
      2⤵
      • Runs regedit.exe
      • Suspicious behavior: GetForegroundWindowSpam
      PID:3092

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\dki641E.tmp

    Filesize

    172KB

    MD5

    4f407b29d53e9eb54e22d096fce82aa7

    SHA1

    a4ee25b066cac19ff679dd491f5791652bb71185

    SHA256

    cf0ecf30fc95800a34105acb9bcb484bb594a35b3ef26ace8f122af4f9f888dc

    SHA512

    325f7b599455195101e4c0dafd3654906d20ed2c1ce2a5f38784635e16ab545df6ee44a83bed6128239be2dee5be110552c7b246b7f52482ab31552e14b54183

  • C:\Users\Admin\AppData\Local\Temp\dki641E.tmp

    Filesize

    172KB

    MD5

    4f407b29d53e9eb54e22d096fce82aa7

    SHA1

    a4ee25b066cac19ff679dd491f5791652bb71185

    SHA256

    cf0ecf30fc95800a34105acb9bcb484bb594a35b3ef26ace8f122af4f9f888dc

    SHA512

    325f7b599455195101e4c0dafd3654906d20ed2c1ce2a5f38784635e16ab545df6ee44a83bed6128239be2dee5be110552c7b246b7f52482ab31552e14b54183

  • memory/2400-132-0x0000000001000000-0x0000000001005000-memory.dmp

    Filesize

    20KB

  • memory/2400-135-0x0000000000510000-0x0000000000584000-memory.dmp

    Filesize

    464KB

  • memory/2400-137-0x0000000001000000-0x0000000001005000-memory.dmp

    Filesize

    20KB

  • memory/2400-138-0x0000000000510000-0x0000000000584000-memory.dmp

    Filesize

    464KB