Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2022, 18:26

General

  • Target

    f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe

  • Size

    176KB

  • MD5

    0d90878e9045e5be441a9f3d20f29b6e

  • SHA1

    864bf947a5b3b1a7e5f9b2215199ef21bb600e2d

  • SHA256

    f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662

  • SHA512

    cc56bcd683dd444192941b7ac3d74fba0e3dfb689b6c761663b6afae6b70d290ea7b301fb9da1b4e7ef2d006c8dae0d4ee7f605764ba909b52500e0ae2ebe595

  • SSDEEP

    3072:Dhh8C/nROzg7iiwJvXZETcbLn67kLpyRurohZbsn4KhWNUzMzGV5/bBD3ynrul1y:Vh7YU7iiwJvXZETcbLn6YLProhZbsn47

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 54 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe
    "C:\Users\Admin\AppData\Local\Temp\f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1780
    • C:\Users\Admin\bihag.exe
      "C:\Users\Admin\bihag.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:692

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\bihag.exe

    Filesize

    176KB

    MD5

    5861d95915a08a7a10f30f053b47d639

    SHA1

    5860a3ef22a101d8f2cb1fc447ebf92d228957dc

    SHA256

    dc3161501f52a554385bfdfb994f961c69ebac0343eaa27e95f2fb6fb4a85ce1

    SHA512

    16d07836ab323fa69613873fb55e2f8f39e6fb72a997432e80a5d4f8a166e78cd2a5244d2a392b59a653b76314ea77385756ab05c54c62bce8949efbbce4dca0

  • C:\Users\Admin\bihag.exe

    Filesize

    176KB

    MD5

    5861d95915a08a7a10f30f053b47d639

    SHA1

    5860a3ef22a101d8f2cb1fc447ebf92d228957dc

    SHA256

    dc3161501f52a554385bfdfb994f961c69ebac0343eaa27e95f2fb6fb4a85ce1

    SHA512

    16d07836ab323fa69613873fb55e2f8f39e6fb72a997432e80a5d4f8a166e78cd2a5244d2a392b59a653b76314ea77385756ab05c54c62bce8949efbbce4dca0