Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

b4f8d752f4...e2.exe

windows7-x64

10

b4f8d752f4...e2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2022, 20:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b4f8d752f46ddae98e3f5e83329b5f6aa1c17c22a59bda6c8c5e3bf6713e05e2.exe

  • Size

    260KB

  • MD5

    a1d70650b0247293705b2994585f09c0

  • SHA1

    49ba3cdc210933b6ad8a944666e7884969c4cf04

  • SHA256

    b4f8d752f46ddae98e3f5e83329b5f6aa1c17c22a59bda6c8c5e3bf6713e05e2

  • SHA512

    a00718501098631c816896eae8fa61004bf3519deeac7ab658816e32aeb7e0776d564fb53310099880f66e7ba30a8253457324a7ac9c54928f058bac5f653cdd

  • SSDEEP

    3072:bgfAlNommvh25n/kZoSUjMqXnpWAkpAmTSrMaIOYt/jo7LAtPhjjtZnfHFEoWBf3:bdrgTSrMaIl/jcLijfHFEHWzXvjT85R

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4f8d752f46ddae98e3f5e83329b5f6aa1c17c22a59bda6c8c5e3bf6713e05e2.exe
    "C:\Users\Admin\AppData\Local\Temp\b4f8d752f46ddae98e3f5e83329b5f6aa1c17c22a59bda6c8c5e3bf6713e05e2.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2608
    • C:\Users\Admin\ffxoer.exe
      "C:\Users\Admin\ffxoer.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2108

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\ffxoer.exe
    Filesize

    260KB

    MD5

    ef7e90b173c2e7ce779984e4d51fdf53

    SHA1

    936dc966ae98c9226896ef392786e5bfe9c1a659

    SHA256

    3058c57b9c211e221069a188a27f79f5ef7d62cb7203d2ae0e1acaedf00bbae7

    SHA512

    ce070aeaf3ae256088a11eef06645c21f69e99b3a40313d49dabc8a6ad651659d1b10b8b60c0b29709c233afaa9f9b71ad92b828e603786d5f3a1a90169c1db0

    Download Submit

  • C:\Users\Admin\ffxoer.exe
    Filesize

    260KB

    MD5

    ef7e90b173c2e7ce779984e4d51fdf53

    SHA1

    936dc966ae98c9226896ef392786e5bfe9c1a659

    SHA256

    3058c57b9c211e221069a188a27f79f5ef7d62cb7203d2ae0e1acaedf00bbae7

    SHA512

    ce070aeaf3ae256088a11eef06645c21f69e99b3a40313d49dabc8a6ad651659d1b10b8b60c0b29709c233afaa9f9b71ad92b828e603786d5f3a1a90169c1db0

    Download Submit