Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2022, 13:55
Static task
static1
Behavioral task
behavioral1
Sample
2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe
Resource
win10v2004-20220812-en
General
-
Target
2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe
-
Size
333KB
-
MD5
06b7dcdff00ed18e156ba6cf4e9a02f7
-
SHA1
541032ba6ab7c383b804161a1f881b447105677f
-
SHA256
2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b
-
SHA512
6313af898c316cb7199b62e276175c4c1600be2b52ef9264476982864b6e37a9510e5c1a915ae91c72f34c24f63f761b8a4591b03b01b07343935bd59bde8d87
-
SSDEEP
3072:9msKGgOkGqHmT76JidYL49Nw/fnQRi6RwhGpVAv6IQ9BiQc9A:9JqHmTieNwnKh5NZ9bH
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications 2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Public\E-73473-3674-74335\msnrsmsn.exe = "C:\\Users\\Public\\E-73473-3674-74335\\msnrsmsn.exe:*:Enabled:Microsoft3264OSUpdate" 2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List 2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe -
Executes dropped EXE 2 IoCs
pid Process 1304 msnrsmsn.exe 3544 msnrsmsn.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ 2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft3264OSUpdate = "C:\\Users\\Public\\E-73473-3674-74335\\msnrsmsn.exe" 2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 916 set thread context of 2500 916 2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe 80 PID 1304 set thread context of 3544 1304 msnrsmsn.exe 82 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 916 wrote to memory of 2500 916 2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe 80 PID 916 wrote to memory of 2500 916 2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe 80 PID 916 wrote to memory of 2500 916 2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe 80 PID 916 wrote to memory of 2500 916 2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe 80 PID 916 wrote to memory of 2500 916 2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe 80 PID 916 wrote to memory of 2500 916 2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe 80 PID 916 wrote to memory of 2500 916 2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe 80 PID 916 wrote to memory of 2500 916 2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe 80 PID 2500 wrote to memory of 1304 2500 2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe 81 PID 2500 wrote to memory of 1304 2500 2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe 81 PID 2500 wrote to memory of 1304 2500 2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe 81 PID 1304 wrote to memory of 3544 1304 msnrsmsn.exe 82 PID 1304 wrote to memory of 3544 1304 msnrsmsn.exe 82 PID 1304 wrote to memory of 3544 1304 msnrsmsn.exe 82 PID 1304 wrote to memory of 3544 1304 msnrsmsn.exe 82 PID 1304 wrote to memory of 3544 1304 msnrsmsn.exe 82 PID 1304 wrote to memory of 3544 1304 msnrsmsn.exe 82 PID 1304 wrote to memory of 3544 1304 msnrsmsn.exe 82 PID 1304 wrote to memory of 3544 1304 msnrsmsn.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe"C:\Users\Admin\AppData\Local\Temp\2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Users\Admin\AppData\Local\Temp\2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe"C:\Users\Admin\AppData\Local\Temp\2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe"2⤵
- Modifies firewall policy service
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Public\E-73473-3674-74335\msnrsmsn.exe"C:\Users\Public\E-73473-3674-74335\msnrsmsn.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Users\Public\E-73473-3674-74335\msnrsmsn.exe"C:\Users\Public\E-73473-3674-74335\msnrsmsn.exe"4⤵
- Executes dropped EXE
PID:3544
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
333KB
MD506b7dcdff00ed18e156ba6cf4e9a02f7
SHA1541032ba6ab7c383b804161a1f881b447105677f
SHA2562a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b
SHA5126313af898c316cb7199b62e276175c4c1600be2b52ef9264476982864b6e37a9510e5c1a915ae91c72f34c24f63f761b8a4591b03b01b07343935bd59bde8d87
-
Filesize
333KB
MD506b7dcdff00ed18e156ba6cf4e9a02f7
SHA1541032ba6ab7c383b804161a1f881b447105677f
SHA2562a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b
SHA5126313af898c316cb7199b62e276175c4c1600be2b52ef9264476982864b6e37a9510e5c1a915ae91c72f34c24f63f761b8a4591b03b01b07343935bd59bde8d87
-
Filesize
333KB
MD506b7dcdff00ed18e156ba6cf4e9a02f7
SHA1541032ba6ab7c383b804161a1f881b447105677f
SHA2562a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b
SHA5126313af898c316cb7199b62e276175c4c1600be2b52ef9264476982864b6e37a9510e5c1a915ae91c72f34c24f63f761b8a4591b03b01b07343935bd59bde8d87