Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    153s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2022, 06:19 UTC

General

  • Target

    ee82de494114997bd1eae2fc1bea99accb50b35d481ede92b3bcab640f35a2dd.exe

  • Size

    333KB

  • MD5

    0dfdb2aff1563d36baa793fa209f6fd0

  • SHA1

    36536b8ec6e76cc125a9f7d44dccabeba7fd9c4b

  • SHA256

    ee82de494114997bd1eae2fc1bea99accb50b35d481ede92b3bcab640f35a2dd

  • SHA512

    c7c3aa0ba753d6f86374d2b0b1c6e8115896a82c1273aaf991061100a10ab9f014d6568ca118723e161a6ab4e344d862d00f248c069e0c908085be4375376d24

  • SSDEEP

    6144:3LObkszAhheFdgIkYofIa8SQcPqIpwGGIQ9aM5BDhm0gVpXANRXds3zgbJ5u0rMz:7AzAY0BhqIxGIq9ywjdIzgN4iMpt

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ee82de494114997bd1eae2fc1bea99accb50b35d481ede92b3bcab640f35a2dd.exe
    "C:\Users\Admin\AppData\Local\Temp\ee82de494114997bd1eae2fc1bea99accb50b35d481ede92b3bcab640f35a2dd.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:676
    • C:\ddsa.scr
      "C:\ddsa.scr" /S
      2⤵
      • Executes dropped EXE
      PID:4260
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy
    1⤵
      PID:1720
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k UnistackSvcGroup
      1⤵
        PID:4768

      Network

      • flag-us
        DNS
        176.122.125.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        176.122.125.40.in-addr.arpa
        IN PTR
        Response
      • 209.197.3.8:80
        46 B
        40 B
        1
        1
      • 13.69.239.72:443
        322 B
        7
      • 209.197.3.8:80
        322 B
        7
      • 209.197.3.8:80
        322 B
        7
      • 8.8.8.8:53
        176.122.125.40.in-addr.arpa
        dns
        73 B
        159 B
        1
        1

        DNS Request

        176.122.125.40.in-addr.arpa

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ddsa.scr

        Filesize

        8KB

        MD5

        3e9f18d134cb34e0575365bdad55f155

        SHA1

        14206f0887576eabe296b15881260b3ad2bf7709

        SHA256

        0cd0bcb93e7d4fa0fe4db223e914e723b4ebb4d81312cb4357f36a14edba2df2

        SHA512

        77a1353217df765ffd74f3b4b464c1edd86b8386e30aabda218e5d5610a981c7720164f9acda045fed5ed5c2cd914a144637a86d08b492a5b7f04bcb3b007612

      • C:\ddsa.scr

        Filesize

        8KB

        MD5

        3e9f18d134cb34e0575365bdad55f155

        SHA1

        14206f0887576eabe296b15881260b3ad2bf7709

        SHA256

        0cd0bcb93e7d4fa0fe4db223e914e723b4ebb4d81312cb4357f36a14edba2df2

        SHA512

        77a1353217df765ffd74f3b4b464c1edd86b8386e30aabda218e5d5610a981c7720164f9acda045fed5ed5c2cd914a144637a86d08b492a5b7f04bcb3b007612

      • memory/676-132-0x0000000000400000-0x0000000000551000-memory.dmp

        Filesize

        1.3MB

      • memory/676-133-0x0000000000400000-0x0000000000551000-memory.dmp

        Filesize

        1.3MB

      • memory/676-134-0x0000000000400000-0x0000000000551000-memory.dmp

        Filesize

        1.3MB

      • memory/676-135-0x0000000000400000-0x0000000000551000-memory.dmp

        Filesize

        1.3MB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.