Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    153s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2022, 20:41

General

  • Target

    f41c2c681c97c911650f058881890ceabd27e7c84dd1e5a578a0b766cbe4de9b.exe

  • Size

    148KB

  • MD5

    0efd4377d48e9fa18fb3f390c6cdfb01

  • SHA1

    422d5570afd48ed88f2efc14db70482032e96abd

  • SHA256

    f41c2c681c97c911650f058881890ceabd27e7c84dd1e5a578a0b766cbe4de9b

  • SHA512

    8ce607c7b181d4f1776c3186785c40a11ada2426abd247f510395e81c5b5faf72d905f30a121ea42d002d24c75c6458795a51874ef5a2ec467351457419f26c9

  • SSDEEP

    3072:/iF2Qh4mRpDGq7At/yRWr2wA36nbMUq8hFOdhIk4oQZiEtx6Ua3:KFBh96F90Wf7nJPwdzWZ6U6

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 55 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f41c2c681c97c911650f058881890ceabd27e7c84dd1e5a578a0b766cbe4de9b.exe
    "C:\Users\Admin\AppData\Local\Temp\f41c2c681c97c911650f058881890ceabd27e7c84dd1e5a578a0b766cbe4de9b.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1084
    • C:\Users\Admin\ytqit.exe
      "C:\Users\Admin\ytqit.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:980

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\ytqit.exe

    Filesize

    148KB

    MD5

    7285905c82ccc2df6c7294e5d06b973a

    SHA1

    698f1f9a9618f8a5f22c2c2d12fc89c1fa368f07

    SHA256

    7d22182599073ad6a7557176c3589626cd6c555729f9ad63a2d2eadc81546046

    SHA512

    fa355afacdcd515806f60bbcb73b18e7c61f7b9814627624883b31a46af60cbf51f240b5985919843de80197dc6f3f048c4ff38f79052956cf6f7b90f3a70057

  • C:\Users\Admin\ytqit.exe

    Filesize

    148KB

    MD5

    7285905c82ccc2df6c7294e5d06b973a

    SHA1

    698f1f9a9618f8a5f22c2c2d12fc89c1fa368f07

    SHA256

    7d22182599073ad6a7557176c3589626cd6c555729f9ad63a2d2eadc81546046

    SHA512

    fa355afacdcd515806f60bbcb73b18e7c61f7b9814627624883b31a46af60cbf51f240b5985919843de80197dc6f3f048c4ff38f79052956cf6f7b90f3a70057