Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    152s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2022, 16:12

General

  • Target

    d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe

  • Size

    392KB

  • MD5

    82805fe0c771d3d7660012d0e5d63060

  • SHA1

    e762d3caf6d045e66f2d9ba5a2ce3bd65c0b6600

  • SHA256

    d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb

  • SHA512

    aadc35efe7618be3c2b344063146091916223402ab75b824f1fc9520355c7292ab0e6f78fb25748e4b56199d0592e3f136806516a23cae3e1be41f326740c44d

  • SSDEEP

    12288:tt8vVED3Bk0Mr9Vif7/F1hIIaYHuvAIS23:tt+gvMpVij/F1hV5HuvAId

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
    "C:\Users\Admin\AppData\Local\Temp\d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:892
    • C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
      \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2364
      • C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
        \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3828
    • C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
      \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Drops startup file
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4620
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v COMLOADER /d "\\.\C:\Program Files\FoxitReader\bin\COM7.EXE"
        3⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:2808
      • C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
        \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:4780

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

    Filesize

    392KB

    MD5

    22ec4a5d682705facf85c52b4937239b

    SHA1

    394539ef2103fb7080668b876f03e58bb1c1a8de

    SHA256

    091215dc7fa868e87b982b9836cbf4e15344717f41d439a036f93ab026aac1ba

    SHA512

    f9ac6f90ddcb0b012a5c8ab9ee8293f1695f4aa46ca01775110526106363d8c99a4452ef0d44fdb9ce93e0ed5593b39d4a407cfefd66dd21b29bdd1c6ae763e2

  • C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

    Filesize

    392KB

    MD5

    22ec4a5d682705facf85c52b4937239b

    SHA1

    394539ef2103fb7080668b876f03e58bb1c1a8de

    SHA256

    091215dc7fa868e87b982b9836cbf4e15344717f41d439a036f93ab026aac1ba

    SHA512

    f9ac6f90ddcb0b012a5c8ab9ee8293f1695f4aa46ca01775110526106363d8c99a4452ef0d44fdb9ce93e0ed5593b39d4a407cfefd66dd21b29bdd1c6ae763e2

  • C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

    Filesize

    392KB

    MD5

    22ec4a5d682705facf85c52b4937239b

    SHA1

    394539ef2103fb7080668b876f03e58bb1c1a8de

    SHA256

    091215dc7fa868e87b982b9836cbf4e15344717f41d439a036f93ab026aac1ba

    SHA512

    f9ac6f90ddcb0b012a5c8ab9ee8293f1695f4aa46ca01775110526106363d8c99a4452ef0d44fdb9ce93e0ed5593b39d4a407cfefd66dd21b29bdd1c6ae763e2

  • C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

    Filesize

    392KB

    MD5

    0f8d76da53f8f78f24f48c794b228f59

    SHA1

    a28de301142a01a9077d2bf2eeef70781079deba

    SHA256

    97d81dbcb27f299cbca9da3e81fe2d1350b8c65d8eed49695b9e37add2ed226b

    SHA512

    f11d95a375ca9f2027e45215efe61f7718fe64191b62dc73332671fa5a7dd149e4134140df1972dc81a437853df6e6e0fc3e4cf6382ea9f0a56e085aad56a51d

  • C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

    Filesize

    392KB

    MD5

    0f8d76da53f8f78f24f48c794b228f59

    SHA1

    a28de301142a01a9077d2bf2eeef70781079deba

    SHA256

    97d81dbcb27f299cbca9da3e81fe2d1350b8c65d8eed49695b9e37add2ed226b

    SHA512

    f11d95a375ca9f2027e45215efe61f7718fe64191b62dc73332671fa5a7dd149e4134140df1972dc81a437853df6e6e0fc3e4cf6382ea9f0a56e085aad56a51d

  • C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

    Filesize

    392KB

    MD5

    0f8d76da53f8f78f24f48c794b228f59

    SHA1

    a28de301142a01a9077d2bf2eeef70781079deba

    SHA256

    97d81dbcb27f299cbca9da3e81fe2d1350b8c65d8eed49695b9e37add2ed226b

    SHA512

    f11d95a375ca9f2027e45215efe61f7718fe64191b62dc73332671fa5a7dd149e4134140df1972dc81a437853df6e6e0fc3e4cf6382ea9f0a56e085aad56a51d