Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    152s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2022, 15:04

General

  • Target

    e796ed4142550aadcd2787b88664aa4338638bc26d0865f3e020354f934c0173.exe

  • Size

    419KB

  • MD5

    073a79104101a2ae4535719f94bc8480

  • SHA1

    51a2fb2180a8e2a50e8f6b39de8602cf117cf857

  • SHA256

    e796ed4142550aadcd2787b88664aa4338638bc26d0865f3e020354f934c0173

  • SHA512

    866901ad79d94ac6e1cdd6e415aa2d6286844078f12b23ff37643a67dc6c5fcfbd975831eb58f6e464896a6269ddeec2cbcf3376be7068e94fc14eac23507a7d

  • SSDEEP

    6144:u7PjM1h2DiL6yA8IpdJfLKLzmPPb+WCFOnDK0svS:yMLM2tIpnGzmPSWC64K

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e796ed4142550aadcd2787b88664aa4338638bc26d0865f3e020354f934c0173.exe
    "C:\Users\Admin\AppData\Local\Temp\e796ed4142550aadcd2787b88664aa4338638bc26d0865f3e020354f934c0173.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:644
    • C:\Users\Admin\AppData\Local\Temp\cegoh.exe
      "C:\Users\Admin\AppData\Local\Temp\cegoh.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3636
      • C:\Users\Admin\AppData\Local\Temp\hyibn.exe
        "C:\Users\Admin\AppData\Local\Temp\hyibn.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1628
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
        PID:548

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

      Filesize

      340B

      MD5

      5c0d4071de770b54e5029ea67ab8202a

      SHA1

      0fa729ddbedaf4f8d3dc8d70d475a721d5894317

      SHA256

      81557131f78feef4c027870d164afe28a9a7e39eef90f77a3adb4770d4143289

      SHA512

      e56a0f0d43d4916cb235d5e507c39757ad6ac76aeba2f674b614092e729d9c2c4bbde3cd151932123818263ca60692bf5a707fd87831496f79cd81b436678fe6

    • C:\Users\Admin\AppData\Local\Temp\cegoh.exe

      Filesize

      420KB

      MD5

      0b1b199d690350dc89cf8d03798e916f

      SHA1

      154e59702f190c9cb2f6df9a23cbae2a38484e36

      SHA256

      3c3473dfd4269547cf952b8d81da6f21322f99d5d247a213ade76849a37e1fc9

      SHA512

      cac2b2da2143b60f085a7045804bd8a4d95992f2a790cb35546002f244be51e5c14712b717f51c288dd4d82b5df609a9657fe6889e5c852b92df7e74d9622381

    • C:\Users\Admin\AppData\Local\Temp\cegoh.exe

      Filesize

      420KB

      MD5

      0b1b199d690350dc89cf8d03798e916f

      SHA1

      154e59702f190c9cb2f6df9a23cbae2a38484e36

      SHA256

      3c3473dfd4269547cf952b8d81da6f21322f99d5d247a213ade76849a37e1fc9

      SHA512

      cac2b2da2143b60f085a7045804bd8a4d95992f2a790cb35546002f244be51e5c14712b717f51c288dd4d82b5df609a9657fe6889e5c852b92df7e74d9622381

    • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

      Filesize

      512B

      MD5

      4366c8d09765f8fa2a9542db96b632ab

      SHA1

      d5d99d5f07dacfe74c4272c8aa01b1344cba324c

      SHA256

      cb1e0fefde4d5c71de25f51bbf5e331307219e938eef1aeda389e26073f330b3

      SHA512

      c1bd5361079a1500fe90d63eb51882364698411bff1978ed2ae1124a8181f20732ecad49ef58b3331e67f27afc8d18b8ea6e0c5993626f683718fa774303c44f

    • C:\Users\Admin\AppData\Local\Temp\hyibn.exe

      Filesize

      207KB

      MD5

      a36574360411c725f67a20fd1327bc10

      SHA1

      718226072250f9ee1995ce7eeea4ca53b750f878

      SHA256

      7efbdc94820f182404bb2295cbf1fd36fcfb45bb11f70f24cbdf2139d2f378f1

      SHA512

      48e875c41ce6867a918c6f41ad3e64e3ee8e0a0e1e8c3b9add40f5bbfd5e82d6197f7c553864e6954bee0fb2200aa7d412ca37ea907c88de85b1dee0802c6c1f

    • C:\Users\Admin\AppData\Local\Temp\hyibn.exe

      Filesize

      207KB

      MD5

      a36574360411c725f67a20fd1327bc10

      SHA1

      718226072250f9ee1995ce7eeea4ca53b750f878

      SHA256

      7efbdc94820f182404bb2295cbf1fd36fcfb45bb11f70f24cbdf2139d2f378f1

      SHA512

      48e875c41ce6867a918c6f41ad3e64e3ee8e0a0e1e8c3b9add40f5bbfd5e82d6197f7c553864e6954bee0fb2200aa7d412ca37ea907c88de85b1dee0802c6c1f

    • memory/644-137-0x0000000000400000-0x0000000000449000-memory.dmp

      Filesize

      292KB

    • memory/644-132-0x0000000000400000-0x0000000000449000-memory.dmp

      Filesize

      292KB

    • memory/1628-146-0x0000000000400000-0x00000000004B3000-memory.dmp

      Filesize

      716KB

    • memory/1628-147-0x0000000000400000-0x00000000004B3000-memory.dmp

      Filesize

      716KB

    • memory/3636-139-0x0000000000400000-0x0000000000449000-memory.dmp

      Filesize

      292KB

    • memory/3636-141-0x0000000000400000-0x0000000000449000-memory.dmp

      Filesize

      292KB

    • memory/3636-145-0x0000000000400000-0x0000000000449000-memory.dmp

      Filesize

      292KB