Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2022, 10:09
Static task
static1
Behavioral task
behavioral1
Sample
f022266362463b7146ffb2ed488dbc11d0044e2709858433a09ea2001b72fc3b.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
f022266362463b7146ffb2ed488dbc11d0044e2709858433a09ea2001b72fc3b.exe
Resource
win10v2004-20220812-en
General
-
Target
f022266362463b7146ffb2ed488dbc11d0044e2709858433a09ea2001b72fc3b.exe
-
Size
53KB
-
MD5
0963c0fc8aab14a8a820703e85b9ea7f
-
SHA1
a2d56f2cc20e6c2384f973953b83f79ef4656fa9
-
SHA256
f022266362463b7146ffb2ed488dbc11d0044e2709858433a09ea2001b72fc3b
-
SHA512
09f55c956c10ddb88f2f88e7c58c1ec5a73beb105673b037482794a36dbdf73301a35dfb1a163c8d55d6b0dd534644fc69e64bbec60a6b47e21989add34d4760
-
SSDEEP
1536:9RxEd321aavhNBwFs/4d6eI36xI7V0Kz0EvuP112j/:9HQiJNOFFd1qHLvi10j/
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4968 Trojan.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 4932 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation f022266362463b7146ffb2ed488dbc11d0044e2709858433a09ea2001b72fc3b.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." Trojan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." Trojan.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new f022266362463b7146ffb2ed488dbc11d0044e2709858433a09ea2001b72fc3b.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new f022266362463b7146ffb2ed488dbc11d0044e2709858433a09ea2001b72fc3b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe 4968 Trojan.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4968 Trojan.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4856 wrote to memory of 4968 4856 f022266362463b7146ffb2ed488dbc11d0044e2709858433a09ea2001b72fc3b.exe 82 PID 4856 wrote to memory of 4968 4856 f022266362463b7146ffb2ed488dbc11d0044e2709858433a09ea2001b72fc3b.exe 82 PID 4968 wrote to memory of 4932 4968 Trojan.exe 83 PID 4968 wrote to memory of 4932 4968 Trojan.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\f022266362463b7146ffb2ed488dbc11d0044e2709858433a09ea2001b72fc3b.exe"C:\Users\Admin\AppData\Local\Temp\f022266362463b7146ffb2ed488dbc11d0044e2709858433a09ea2001b72fc3b.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\Trojan.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:4932
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD50963c0fc8aab14a8a820703e85b9ea7f
SHA1a2d56f2cc20e6c2384f973953b83f79ef4656fa9
SHA256f022266362463b7146ffb2ed488dbc11d0044e2709858433a09ea2001b72fc3b
SHA51209f55c956c10ddb88f2f88e7c58c1ec5a73beb105673b037482794a36dbdf73301a35dfb1a163c8d55d6b0dd534644fc69e64bbec60a6b47e21989add34d4760
-
Filesize
53KB
MD50963c0fc8aab14a8a820703e85b9ea7f
SHA1a2d56f2cc20e6c2384f973953b83f79ef4656fa9
SHA256f022266362463b7146ffb2ed488dbc11d0044e2709858433a09ea2001b72fc3b
SHA51209f55c956c10ddb88f2f88e7c58c1ec5a73beb105673b037482794a36dbdf73301a35dfb1a163c8d55d6b0dd534644fc69e64bbec60a6b47e21989add34d4760