Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    152s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2022, 15:11

General

  • Target

    203d55a92361ef7d5092e8e2c7b46990c91acdc06f975f3185cd762eefb66a79.exe

  • Size

    48KB

  • MD5

    0cfd7b9daaeeccf65756bd2a5a383bb0

  • SHA1

    fbb15fe5852c30f3f2c89cd298d1318aa818290b

  • SHA256

    203d55a92361ef7d5092e8e2c7b46990c91acdc06f975f3185cd762eefb66a79

  • SHA512

    daf9423aab383a8fc4fbc7732802c45a00f557b92d6014f9197349e8a57d5001f8a9423380826766d000265c59000a51c41b1ad1896563394b660d6a63e3f61a

  • SSDEEP

    768:hMTLFoLgpF2jD6JNDVUG93jMyPIGjAHlC5GtE:h6Z/pk+cGtjP5OsAa

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 39 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\203d55a92361ef7d5092e8e2c7b46990c91acdc06f975f3185cd762eefb66a79.exe
    "C:\Users\Admin\AppData\Local\Temp\203d55a92361ef7d5092e8e2c7b46990c91acdc06f975f3185cd762eefb66a79.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4584
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://login.live.com/
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2676
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2676 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4624

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\z2evvp3\imagestore.dat

    Filesize

    17KB

    MD5

    2fe642009e570ce45aeba39610492dde

    SHA1

    48537aca12a82833f310e3debeca2c8ba6c204d1

    SHA256

    575321485b9c0391dfc6de15755c180344c1785687cc5e757b2339c3dd1e5c44

    SHA512

    8c23e4ba14e63510d16be4a622a4d28bd6967fd3de27bf3cacf749600d762dd536468092283b1143cf31168410c6653198a8bcf2faf9c9b3cf029f7a25061784

  • memory/4584-132-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

  • memory/4584-133-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB