Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

fa6828e1ce...e8.exe

windows7-x64

10

fa6828e1ce...e8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2022, 20:51 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fa6828e1cedcc19289d3e030bc756486328d2a7bfc7b53804006e828fc5d36e8.exe

  • Size

    140KB

  • MD5

    0cb4416aeafb245609fdde53974886ac

  • SHA1

    a665f2feed56c97da9c3db9fd68d0a1e44fc8fa2

  • SHA256

    fa6828e1cedcc19289d3e030bc756486328d2a7bfc7b53804006e828fc5d36e8

  • SHA512

    737d0d42ed872188542b85420f28cba447c05d422d7282b490f03ef390940761569a52f8f96b561aed87478dd7ab435d4ff527b682017c7a081e9e2ecc784cb6

  • SSDEEP

    1536:0JoQjKVQrGkYAcANSU+MNG5ipzqYbCa3458X77UsMJn1ogCnzqLcTJLO01DvqKW:3QrrGkYnAS4R77UsMJn1opVwfG

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 29 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa6828e1cedcc19289d3e030bc756486328d2a7bfc7b53804006e828fc5d36e8.exe
    "C:\Users\Admin\AppData\Local\Temp\fa6828e1cedcc19289d3e030bc756486328d2a7bfc7b53804006e828fc5d36e8.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Users\Admin\ylbiup.exe
      "C:\Users\Admin\ylbiup.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:436

Network

  • flag-us
    DNS
    ns1.chopbell.com
    fa6828e1cedcc19289d3e030bc756486328d2a7bfc7b53804006e828fc5d36e8.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.chopbell.com
    IN A
    Response
  • flag-us
    DNS
    ns1.chopbell.net
    fa6828e1cedcc19289d3e030bc756486328d2a7bfc7b53804006e828fc5d36e8.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.chopbell.net
    IN A
    Response
  • flag-us
    DNS
    ns1.chopball.org
    fa6828e1cedcc19289d3e030bc756486328d2a7bfc7b53804006e828fc5d36e8.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.chopball.org
    IN A
    Response
  • flag-us
    DNS
    ns1.chopball.org
    fa6828e1cedcc19289d3e030bc756486328d2a7bfc7b53804006e828fc5d36e8.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.chopball.org
    IN A
    Response
  • flag-us
    DNS
    ns1.chopbell.biz
    fa6828e1cedcc19289d3e030bc756486328d2a7bfc7b53804006e828fc5d36e8.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.chopbell.biz
    IN A
    Response
  • flag-us
    DNS
    ns1.chopbell.biz
    fa6828e1cedcc19289d3e030bc756486328d2a7bfc7b53804006e828fc5d36e8.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.chopbell.biz
    IN A
    Response
  • flag-us
    DNS
    ns1.chopbell.info
    fa6828e1cedcc19289d3e030bc756486328d2a7bfc7b53804006e828fc5d36e8.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.chopbell.info
    IN A
    Response
  • 93.184.220.29:80
    322 B
     7
  • 93.184.221.240:80
    322 B
     7
  • 93.184.221.240:80
    322 B
     7
  • 20.42.65.84:443
    322 B
     7
  • 93.184.220.29:80
    260 B
     5
  • 8.253.208.113:80
    322 B
     7
  • 8.253.208.113:80
    322 B
     7
  • 8.253.208.113:80
    260 B
     5
  • 67.27.153.254:80
    260 B
     5
  • 8.253.208.112:80
    260 B
     5
  • 8.8.8.8:53
    ns1.chopbell.com
    dns
    fa6828e1cedcc19289d3e030bc756486328d2a7bfc7b53804006e828fc5d36e8.exe
    62 B
     120 B
     1
    1

    DNS Request

    ns1.chopbell.com

  • 8.8.8.8:53
    ns1.chopbell.net
    dns
    fa6828e1cedcc19289d3e030bc756486328d2a7bfc7b53804006e828fc5d36e8.exe
    62 B
     135 B
     1
    1

    DNS Request

    ns1.chopbell.net

  • 8.8.8.8:53
    ns1.chopball.org
    dns
    fa6828e1cedcc19289d3e030bc756486328d2a7bfc7b53804006e828fc5d36e8.exe
    124 B
     288 B
     2
    2

    DNS Request

    ns1.chopball.org

    DNS Request

    ns1.chopball.org

  • 8.8.8.8:53
    ns1.chopbell.biz
    dns
    fa6828e1cedcc19289d3e030bc756486328d2a7bfc7b53804006e828fc5d36e8.exe
    124 B
     248 B
     2
    2

    DNS Request

    ns1.chopbell.biz

    DNS Request

    ns1.chopbell.biz

  • 8.8.8.8:53
    ns1.chopbell.info
    dns
    fa6828e1cedcc19289d3e030bc756486328d2a7bfc7b53804006e828fc5d36e8.exe
    63 B
     142 B
     1
    1

    DNS Request

    ns1.chopbell.info

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\ylbiup.exe
    Filesize

    140KB

    MD5

    5457717d28b034f08607ed2fbeebb8ee

    SHA1

    a4b88b76adf61770eabf729a383f2af0d6d7b889

    SHA256

    20549d805583fbcf435659f6f691926ae2faab36e245b2630f5b449a954b11b9

    SHA512

    95259549a04eca9905f3255a04bfd74e2d5295c554741ce18517c97e6fd2a46138c1d5a7e2edda33a8e1f8a5e288b715e46186f581675034f6a11e8994e47c43

    Download Submit

  • C:\Users\Admin\ylbiup.exe
    Filesize

    140KB

    MD5

    5457717d28b034f08607ed2fbeebb8ee

    SHA1

    a4b88b76adf61770eabf729a383f2af0d6d7b889

    SHA256

    20549d805583fbcf435659f6f691926ae2faab36e245b2630f5b449a954b11b9

    SHA512

    95259549a04eca9905f3255a04bfd74e2d5295c554741ce18517c97e6fd2a46138c1d5a7e2edda33a8e1f8a5e288b715e46186f581675034f6a11e8994e47c43

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.