Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
30/10/2022, 15:55
Static task
static1
Behavioral task
behavioral1
Sample
eea7647cadec526a0a3b07082b15ee002c2333859e2a4d738964743cb1aa47be.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
eea7647cadec526a0a3b07082b15ee002c2333859e2a4d738964743cb1aa47be.exe
Resource
win10v2004-20220901-en
General
-
Target
eea7647cadec526a0a3b07082b15ee002c2333859e2a4d738964743cb1aa47be.exe
-
Size
184KB
-
MD5
821cdee6e72c5da5130a13ab50862b70
-
SHA1
0d80e67479d7cb00bb6a9f2ca74c5e43939d01b8
-
SHA256
eea7647cadec526a0a3b07082b15ee002c2333859e2a4d738964743cb1aa47be
-
SHA512
54c3cefb660d7a57a0c27ba21eb810902ebb4ff6bf73da5315d8af2dfdedb50d1d37411955a1500eef093b894cb4a86dbe275da99769d6a88a3ea24bca25ef07
-
SSDEEP
3072:xnrRqBYMmJGGlsw23uoYR1zRVufMbCmuhi3URpC4IUhdhLhPhAeY:xSDYaB3uTRsmu1pJIU3hhh6
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3280 facebook hack v6.2.Exe 3940 facebook hack v6..exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation eea7647cadec526a0a3b07082b15ee002c2333859e2a4d738964743cb1aa47be.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3116 wrote to memory of 3280 3116 eea7647cadec526a0a3b07082b15ee002c2333859e2a4d738964743cb1aa47be.exe 80 PID 3116 wrote to memory of 3280 3116 eea7647cadec526a0a3b07082b15ee002c2333859e2a4d738964743cb1aa47be.exe 80 PID 3116 wrote to memory of 3280 3116 eea7647cadec526a0a3b07082b15ee002c2333859e2a4d738964743cb1aa47be.exe 80 PID 3116 wrote to memory of 3940 3116 eea7647cadec526a0a3b07082b15ee002c2333859e2a4d738964743cb1aa47be.exe 81 PID 3116 wrote to memory of 3940 3116 eea7647cadec526a0a3b07082b15ee002c2333859e2a4d738964743cb1aa47be.exe 81 PID 3116 wrote to memory of 3940 3116 eea7647cadec526a0a3b07082b15ee002c2333859e2a4d738964743cb1aa47be.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\eea7647cadec526a0a3b07082b15ee002c2333859e2a4d738964743cb1aa47be.exe"C:\Users\Admin\AppData\Local\Temp\eea7647cadec526a0a3b07082b15ee002c2333859e2a4d738964743cb1aa47be.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Users\Admin\AppData\Local\Temp\facebook hack v6.2.Exe"C:\Users\Admin\AppData\Local\Temp\facebook hack v6.2.Exe"2⤵
- Executes dropped EXE
PID:3280
-
-
C:\Users\Admin\AppData\Local\Temp\facebook hack v6..exe"C:\Users\Admin\AppData\Local\Temp\facebook hack v6..exe"2⤵
- Executes dropped EXE
PID:3940
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD5596805c542b24fc7e9f1b689e9490941
SHA168736e9600a135b9fb7a9d8b0040eee395112cd6
SHA2562c4e9e949f75f44889b71223267df3c7ecec8489bdf27b269247c787f459001d
SHA512e43c3eb8970f92f25072b315b0cdd4bd9b3ec06b50c08524e6fc820a83f29713e7a75a65ed436da623ff7574e4f2196f5848dc3f7a5b0ab39af110fcfa77aaa7
-
Filesize
33KB
MD5596805c542b24fc7e9f1b689e9490941
SHA168736e9600a135b9fb7a9d8b0040eee395112cd6
SHA2562c4e9e949f75f44889b71223267df3c7ecec8489bdf27b269247c787f459001d
SHA512e43c3eb8970f92f25072b315b0cdd4bd9b3ec06b50c08524e6fc820a83f29713e7a75a65ed436da623ff7574e4f2196f5848dc3f7a5b0ab39af110fcfa77aaa7
-
Filesize
309KB
MD55b32674ed2aab6a1c987f12048c9c362
SHA16d6ad39281c73303700943913acb83733e9693ce
SHA25695b70d4ee8c613a8b714488c729cfd086505d9a53abb5d0879e3c28e578dc668
SHA512034fbb688cba4a25ef07fc206e59b9a6eb8092d225a6b4ed62b99e29bce003e2d7b45843ea3f908e7027d17519cb6b229b910648a4790b905f0e161d3d22e730
-
Filesize
309KB
MD55b32674ed2aab6a1c987f12048c9c362
SHA16d6ad39281c73303700943913acb83733e9693ce
SHA25695b70d4ee8c613a8b714488c729cfd086505d9a53abb5d0879e3c28e578dc668
SHA512034fbb688cba4a25ef07fc206e59b9a6eb8092d225a6b4ed62b99e29bce003e2d7b45843ea3f908e7027d17519cb6b229b910648a4790b905f0e161d3d22e730