Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    83s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/11/2022, 21:51

General

  • Target

    0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe

  • Size

    927KB

  • MD5

    0cd34fd97842c9ba96de6646735b9c70

  • SHA1

    c208f071736d49235e3b9123aa8feaea7d63789a

  • SHA256

    0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff

  • SHA512

    a76d378d1cb3cc1a07ad4a43cce5b2e6731917d06490d0563ea26b94de68fc3e5a4ce20f8ab17c4e80ba31650386001af1b43d506467d8e9d2dd90d4f3e81efd

  • SSDEEP

    12288:6/0DcVYk8zFcetqZQBAUQecDOkuKh5bKdcRVn/NRN2OX0Nr/1/I0l95yr3ozgnMN:TTkqcetqSBdcWJcz//N525wm52q3b

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe
    "C:\Users\Admin\AppData\Local\Temp\0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5004
    • C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
      "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      2⤵
      • Drops file in Program Files directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4800
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
        3⤵
          PID:1940

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\AdobeARM.log

      Filesize

      358B

      MD5

      d5864ce6cd2ef2f7d12e7259ddc6f66f

      SHA1

      3b862bf84cd2ee5ec92f3f920088f4b8f626a368

      SHA256

      9724c002db31525c3d7c99ee6c7c576615aa1389c419f64dd1032557671fd1ec

      SHA512

      a8769c309e3e9037b8e5cc659958997b57eef31f00f6fc206b08742dc9b0b030e39c87b6041de4fb56f45a7131a092b5bb02e3cadb01e95658529678ad54eec3

    • memory/5004-132-0x0000000000400000-0x00000000006B6000-memory.dmp

      Filesize

      2.7MB

    • memory/5004-134-0x0000000000400000-0x00000000006B6000-memory.dmp

      Filesize

      2.7MB