Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    139s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/11/2022, 22:40

General

  • Target

    f39d01a10bd09f9585869dd9b95a416df856699d0fe80a07f09be20bfe1da94b.exe

  • Size

    739KB

  • MD5

    4cd5ae06eb662fb578de6cc647ac1cc5

  • SHA1

    af5ae644eadb42d3059aae52a4964b965b24920c

  • SHA256

    f39d01a10bd09f9585869dd9b95a416df856699d0fe80a07f09be20bfe1da94b

  • SHA512

    361a343c1b55aeb0e5597e9b8b2176cc0dc6b8930d1d9969872271710e923d8cb22021021ea3a90523a144c23065868d1904526947c91a1cc470afb7082593cc

  • SSDEEP

    12288:TxxC7o5o9tsxjG8KC16wvoaP6YZzgIrM/EAtN9MTjQ43GbSDM:TxxC7MolxivoaPfZe1p4Q43Gb

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f39d01a10bd09f9585869dd9b95a416df856699d0fe80a07f09be20bfe1da94b.exe
    "C:\Users\Admin\AppData\Local\Temp\f39d01a10bd09f9585869dd9b95a416df856699d0fe80a07f09be20bfe1da94b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:644
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deleteMyProgram.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1412
      • C:\Windows\system32\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:3960
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo j "
        3⤵
          PID:3528
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" del /F C:\Users\Admin\AppData\Local\Temp\f39d01a10bd09f9585869dd9b95a416df856699d0fe80a07f09be20bfe1da94b.exe"
          3⤵
            PID:3364
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo j "
            3⤵
              PID:3484
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" del deleteMyProgram.bat"
              3⤵
                PID:3716

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\deleteMyProgram.bat

            Filesize

            182B

            MD5

            195f0d99dc22d3af8c9de84ea599c5dd

            SHA1

            fdd0055aacc66419825708698708b7fd8399478c

            SHA256

            46ca2455dea5e487aa439ecdc3096f6944695c7ff690b5ac5683e074b2f9a673

            SHA512

            581d95e36a9d5bf7ef5fcc2a0a1de94ab21f775c1b682dedd8c93c47938bf9cf3fc975bd30fc87e984daf5bb6b810cb6878bd1648a66e64f0df82b242ed4ffb1

          • memory/644-132-0x0000000000EB0000-0x0000000000F70000-memory.dmp

            Filesize

            768KB

          • memory/644-133-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

            Filesize

            10.8MB

          • memory/644-134-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

            Filesize

            10.8MB

          • memory/644-135-0x0000000001590000-0x00000000015B2000-memory.dmp

            Filesize

            136KB

          • memory/644-138-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

            Filesize

            10.8MB