Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
83s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2022, 21:51
Static task
static1
Behavioral task
behavioral1
Sample
0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe
Resource
win10v2004-20220901-en
General
-
Target
0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe
-
Size
927KB
-
MD5
0cd34fd97842c9ba96de6646735b9c70
-
SHA1
c208f071736d49235e3b9123aa8feaea7d63789a
-
SHA256
0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff
-
SHA512
a76d378d1cb3cc1a07ad4a43cce5b2e6731917d06490d0563ea26b94de68fc3e5a4ce20f8ab17c4e80ba31650386001af1b43d506467d8e9d2dd90d4f3e81efd
-
SSDEEP
12288:6/0DcVYk8zFcetqZQBAUQecDOkuKh5bKdcRVn/NRN2OX0Nr/1/I0l95yr3ozgnMN:TTkqcetqSBdcWJcz//N525wm52q3b
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Temp AdobeARM.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Backup AdobeARM.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 5004 0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe 5004 0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe 5004 0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe 5004 0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe 5004 0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe 5004 0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe 5004 0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe 5004 0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe 5004 0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe 5004 0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4800 AdobeARM.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5004 wrote to memory of 4800 5004 0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe 81 PID 5004 wrote to memory of 4800 5004 0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe 81 PID 5004 wrote to memory of 4800 5004 0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe 81 PID 4800 wrote to memory of 1940 4800 AdobeARM.exe 89 PID 4800 wrote to memory of 1940 4800 AdobeARM.exe 89 PID 4800 wrote to memory of 1940 4800 AdobeARM.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe"C:\Users\Admin\AppData\Local\Temp\0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"2⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"3⤵PID:1940
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
358B
MD5d5864ce6cd2ef2f7d12e7259ddc6f66f
SHA13b862bf84cd2ee5ec92f3f920088f4b8f626a368
SHA2569724c002db31525c3d7c99ee6c7c576615aa1389c419f64dd1032557671fd1ec
SHA512a8769c309e3e9037b8e5cc659958997b57eef31f00f6fc206b08742dc9b0b030e39c87b6041de4fb56f45a7131a092b5bb02e3cadb01e95658529678ad54eec3