Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2022, 22:40
Static task
static1
Behavioral task
behavioral1
Sample
f39d01a10bd09f9585869dd9b95a416df856699d0fe80a07f09be20bfe1da94b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f39d01a10bd09f9585869dd9b95a416df856699d0fe80a07f09be20bfe1da94b.exe
Resource
win10v2004-20220812-en
General
-
Target
f39d01a10bd09f9585869dd9b95a416df856699d0fe80a07f09be20bfe1da94b.exe
-
Size
739KB
-
MD5
4cd5ae06eb662fb578de6cc647ac1cc5
-
SHA1
af5ae644eadb42d3059aae52a4964b965b24920c
-
SHA256
f39d01a10bd09f9585869dd9b95a416df856699d0fe80a07f09be20bfe1da94b
-
SHA512
361a343c1b55aeb0e5597e9b8b2176cc0dc6b8930d1d9969872271710e923d8cb22021021ea3a90523a144c23065868d1904526947c91a1cc470afb7082593cc
-
SSDEEP
12288:TxxC7o5o9tsxjG8KC16wvoaP6YZzgIrM/EAtN9MTjQ43GbSDM:TxxC7MolxivoaPfZe1p4Q43Gb
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation f39d01a10bd09f9585869dd9b95a416df856699d0fe80a07f09be20bfe1da94b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3960 PING.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 644 wrote to memory of 1412 644 f39d01a10bd09f9585869dd9b95a416df856699d0fe80a07f09be20bfe1da94b.exe 87 PID 644 wrote to memory of 1412 644 f39d01a10bd09f9585869dd9b95a416df856699d0fe80a07f09be20bfe1da94b.exe 87 PID 1412 wrote to memory of 3960 1412 cmd.exe 89 PID 1412 wrote to memory of 3960 1412 cmd.exe 89 PID 1412 wrote to memory of 3528 1412 cmd.exe 90 PID 1412 wrote to memory of 3528 1412 cmd.exe 90 PID 1412 wrote to memory of 3364 1412 cmd.exe 91 PID 1412 wrote to memory of 3364 1412 cmd.exe 91 PID 1412 wrote to memory of 3484 1412 cmd.exe 92 PID 1412 wrote to memory of 3484 1412 cmd.exe 92 PID 1412 wrote to memory of 3716 1412 cmd.exe 93 PID 1412 wrote to memory of 3716 1412 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\f39d01a10bd09f9585869dd9b95a416df856699d0fe80a07f09be20bfe1da94b.exe"C:\Users\Admin\AppData\Local\Temp\f39d01a10bd09f9585869dd9b95a416df856699d0fe80a07f09be20bfe1da94b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deleteMyProgram.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\system32\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo j "3⤵PID:3528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del /F C:\Users\Admin\AppData\Local\Temp\f39d01a10bd09f9585869dd9b95a416df856699d0fe80a07f09be20bfe1da94b.exe"3⤵PID:3364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo j "3⤵PID:3484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del deleteMyProgram.bat"3⤵PID:3716
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
182B
MD5195f0d99dc22d3af8c9de84ea599c5dd
SHA1fdd0055aacc66419825708698708b7fd8399478c
SHA25646ca2455dea5e487aa439ecdc3096f6944695c7ff690b5ac5683e074b2f9a673
SHA512581d95e36a9d5bf7ef5fcc2a0a1de94ab21f775c1b682dedd8c93c47938bf9cf3fc975bd30fc87e984daf5bb6b810cb6878bd1648a66e64f0df82b242ed4ffb1