Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2022, 09:29
Static task
static1
Behavioral task
behavioral1
Sample
ab75963b079bdd8ec13c722808e5ad1542cadd3107986eaae3b3218ac907d24e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ab75963b079bdd8ec13c722808e5ad1542cadd3107986eaae3b3218ac907d24e.exe
Resource
win10v2004-20220812-en
General
-
Target
ab75963b079bdd8ec13c722808e5ad1542cadd3107986eaae3b3218ac907d24e.exe
-
Size
339KB
-
MD5
23f90d47f46844993e7cf5b2d70de70f
-
SHA1
1c4c006db9a67d1702e9a91855553f5a07aa4d96
-
SHA256
ab75963b079bdd8ec13c722808e5ad1542cadd3107986eaae3b3218ac907d24e
-
SHA512
24d027392f63e836b4c0834f766d2db6e595643c173523b9b76aae349b75fe17aef77d243fddf2d3ce3f36d1a3672b5ec1b6ec90f4bc3c6d69fbfaedeccd1cc6
-
SSDEEP
6144:aFJ0tSrJzXKzy1qZ8LpkJXcLoSMOvpZAwAEjahOj6sVI:7ObNYjJXcE9OhPEOLVI
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4296 beeieacfci.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3888 4296 WerFault.exe 83 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 5112 wmic.exe Token: SeSecurityPrivilege 5112 wmic.exe Token: SeTakeOwnershipPrivilege 5112 wmic.exe Token: SeLoadDriverPrivilege 5112 wmic.exe Token: SeSystemProfilePrivilege 5112 wmic.exe Token: SeSystemtimePrivilege 5112 wmic.exe Token: SeProfSingleProcessPrivilege 5112 wmic.exe Token: SeIncBasePriorityPrivilege 5112 wmic.exe Token: SeCreatePagefilePrivilege 5112 wmic.exe Token: SeBackupPrivilege 5112 wmic.exe Token: SeRestorePrivilege 5112 wmic.exe Token: SeShutdownPrivilege 5112 wmic.exe Token: SeDebugPrivilege 5112 wmic.exe Token: SeSystemEnvironmentPrivilege 5112 wmic.exe Token: SeRemoteShutdownPrivilege 5112 wmic.exe Token: SeUndockPrivilege 5112 wmic.exe Token: SeManageVolumePrivilege 5112 wmic.exe Token: 33 5112 wmic.exe Token: 34 5112 wmic.exe Token: 35 5112 wmic.exe Token: 36 5112 wmic.exe Token: SeIncreaseQuotaPrivilege 5112 wmic.exe Token: SeSecurityPrivilege 5112 wmic.exe Token: SeTakeOwnershipPrivilege 5112 wmic.exe Token: SeLoadDriverPrivilege 5112 wmic.exe Token: SeSystemProfilePrivilege 5112 wmic.exe Token: SeSystemtimePrivilege 5112 wmic.exe Token: SeProfSingleProcessPrivilege 5112 wmic.exe Token: SeIncBasePriorityPrivilege 5112 wmic.exe Token: SeCreatePagefilePrivilege 5112 wmic.exe Token: SeBackupPrivilege 5112 wmic.exe Token: SeRestorePrivilege 5112 wmic.exe Token: SeShutdownPrivilege 5112 wmic.exe Token: SeDebugPrivilege 5112 wmic.exe Token: SeSystemEnvironmentPrivilege 5112 wmic.exe Token: SeRemoteShutdownPrivilege 5112 wmic.exe Token: SeUndockPrivilege 5112 wmic.exe Token: SeManageVolumePrivilege 5112 wmic.exe Token: 33 5112 wmic.exe Token: 34 5112 wmic.exe Token: 35 5112 wmic.exe Token: 36 5112 wmic.exe Token: SeIncreaseQuotaPrivilege 4960 wmic.exe Token: SeSecurityPrivilege 4960 wmic.exe Token: SeTakeOwnershipPrivilege 4960 wmic.exe Token: SeLoadDriverPrivilege 4960 wmic.exe Token: SeSystemProfilePrivilege 4960 wmic.exe Token: SeSystemtimePrivilege 4960 wmic.exe Token: SeProfSingleProcessPrivilege 4960 wmic.exe Token: SeIncBasePriorityPrivilege 4960 wmic.exe Token: SeCreatePagefilePrivilege 4960 wmic.exe Token: SeBackupPrivilege 4960 wmic.exe Token: SeRestorePrivilege 4960 wmic.exe Token: SeShutdownPrivilege 4960 wmic.exe Token: SeDebugPrivilege 4960 wmic.exe Token: SeSystemEnvironmentPrivilege 4960 wmic.exe Token: SeRemoteShutdownPrivilege 4960 wmic.exe Token: SeUndockPrivilege 4960 wmic.exe Token: SeManageVolumePrivilege 4960 wmic.exe Token: 33 4960 wmic.exe Token: 34 4960 wmic.exe Token: 35 4960 wmic.exe Token: 36 4960 wmic.exe Token: SeIncreaseQuotaPrivilege 4960 wmic.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 676 wrote to memory of 4296 676 ab75963b079bdd8ec13c722808e5ad1542cadd3107986eaae3b3218ac907d24e.exe 83 PID 676 wrote to memory of 4296 676 ab75963b079bdd8ec13c722808e5ad1542cadd3107986eaae3b3218ac907d24e.exe 83 PID 676 wrote to memory of 4296 676 ab75963b079bdd8ec13c722808e5ad1542cadd3107986eaae3b3218ac907d24e.exe 83 PID 4296 wrote to memory of 5112 4296 beeieacfci.exe 84 PID 4296 wrote to memory of 5112 4296 beeieacfci.exe 84 PID 4296 wrote to memory of 5112 4296 beeieacfci.exe 84 PID 4296 wrote to memory of 4960 4296 beeieacfci.exe 86 PID 4296 wrote to memory of 4960 4296 beeieacfci.exe 86 PID 4296 wrote to memory of 4960 4296 beeieacfci.exe 86 PID 4296 wrote to memory of 1816 4296 beeieacfci.exe 88 PID 4296 wrote to memory of 1816 4296 beeieacfci.exe 88 PID 4296 wrote to memory of 1816 4296 beeieacfci.exe 88 PID 4296 wrote to memory of 2208 4296 beeieacfci.exe 90 PID 4296 wrote to memory of 2208 4296 beeieacfci.exe 90 PID 4296 wrote to memory of 2208 4296 beeieacfci.exe 90 PID 4296 wrote to memory of 4008 4296 beeieacfci.exe 92 PID 4296 wrote to memory of 4008 4296 beeieacfci.exe 92 PID 4296 wrote to memory of 4008 4296 beeieacfci.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab75963b079bdd8ec13c722808e5ad1542cadd3107986eaae3b3218ac907d24e.exe"C:\Users\Admin\AppData\Local\Temp\ab75963b079bdd8ec13c722808e5ad1542cadd3107986eaae3b3218ac907d24e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Users\Admin\AppData\Local\Temp\beeieacfci.exeC:\Users\Admin\AppData\Local\Temp\beeieacfci.exe 4)1)7)4)0)6)8)3)7)0)4 K09CQD0sKzArNxwrUk4+UEM8OikgK0pETVNPTENGPT0tHC49RVNOQUE2MjUzNSkcLz1BQTYwHCtPS0tETztRWElAOTEyLDAqGCxMRU5SREtbVUxEOmF0cGw5KCtzbG4rPUVPRyxNS1AnOU1JLkVKRUgcLz1ERjxLRUA8cmhMbkxXS05Rcm9RTVRfcXJILUtCdV0vckhlV0dZby42SERObj5ER2IpdTRsbGtsTkI+b2FlRDJPWi8rZ04tSmtPPHNpY0J0LzhzVVNdQWpgYGFkZXNWOGZnZTxtNUNodDNUT2xnYWUvRzQzSW1tYUwtY3YZL0AtPCYtICk8LzYtLRwuPS89JykdKEQwOSwqHC8+LTomMRwrT0tLRE87UVhQTkVVOj9ZNxgsSVJLQFQ8UF8/TUk6PRwrT0tLRE87UVhOPUlENm9vZmFxWnJla3IZK0VSPVxOUkg5I3RRUkZ1HShFVEFePElERkFLPj0cK0dIT1RZOk9IV09BUTYxIClMRTpOR1VOTltVTEQ6YXRwbDkoK2FdZGZcaypdY2FrYysma150K3B0SHM4Ri5ARHl2a1RJU1MwYGxnOWk7c205MiBuXmsxOSJ1Wm4yNx5zWnIvOTEvLTIgSEBNWDkibDZvb2ZhcVpyZWtyGStWRzUvGS9ATzA2LjYrKh0oUlFKU0JJRVlPQkVDS0lEQklBQT1SS0w5HC5CT19MTUtNSUlBPG1udV8YLEtFUFFRR0VOQVdSTEVOW0M6VVM3Kh0oSEVARFE5MRonRkxfQFVNOklJPVdCR0NOVU9NQUQ3Xl5lc2EcLj1LV0hETDpEW0VPNi4wMiYuKjAqNTInLTIsGCxJQU49S0VBTFlBS0xUPUhLNnByb10dKFRFSUQ2LTQuMDEpNjMwMhkrRElPS0VPPUBeTUVNPzUuKi8uMC4rLDEvIi4qOi0uOSsvKkpF2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81667863917.txt bios get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5112
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81667863917.txt bios get version3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4960
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81667863917.txt bios get version3⤵PID:1816
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81667863917.txt bios get version3⤵PID:2208
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81667863917.txt bios get version3⤵PID:4008
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 9243⤵
- Program crash
PID:3888
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4296 -ip 42961⤵PID:4796
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66B
MD59025468f85256136f923096b01375964
SHA17fcd174999661594fa5f88890ffb195e9858cc52
SHA256d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA51292cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51
-
Filesize
58B
MD5dd876faf0fd44a5fab3e82368e2e8b15
SHA101b04083fa278dda3a81705ca5abcfee487a3c90
SHA2565602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9
SHA512e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b
-
Filesize
58B
MD5dd876faf0fd44a5fab3e82368e2e8b15
SHA101b04083fa278dda3a81705ca5abcfee487a3c90
SHA2565602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9
SHA512e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b
-
Filesize
58B
MD5dd876faf0fd44a5fab3e82368e2e8b15
SHA101b04083fa278dda3a81705ca5abcfee487a3c90
SHA2565602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9
SHA512e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b
-
Filesize
58B
MD5dd876faf0fd44a5fab3e82368e2e8b15
SHA101b04083fa278dda3a81705ca5abcfee487a3c90
SHA2565602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9
SHA512e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b
-
Filesize
538KB
MD5923e6c5469a7fa6b36e43dfac16f6e8a
SHA1d514ba15e26c769cf484b1d57888154aed5338e4
SHA256da3c31cff2be5e9c1778d80bad43b8e1023b4005bb7a72bc6b54ba654789d4df
SHA51248083a9c103cd9767cba4582a9401e15a3b23910c5ba4d878cda5d5382194856dfe5ff295fd3f2f668c369facf49ea85d5777d4d34bd337fc2b5c81d2a3f2783
-
Filesize
538KB
MD5923e6c5469a7fa6b36e43dfac16f6e8a
SHA1d514ba15e26c769cf484b1d57888154aed5338e4
SHA256da3c31cff2be5e9c1778d80bad43b8e1023b4005bb7a72bc6b54ba654789d4df
SHA51248083a9c103cd9767cba4582a9401e15a3b23910c5ba4d878cda5d5382194856dfe5ff295fd3f2f668c369facf49ea85d5777d4d34bd337fc2b5c81d2a3f2783