Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21/11/2022, 15:58
Behavioral task
behavioral1
Sample
e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe
Resource
win10v2004-20220812-en
General
-
Target
e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe
-
Size
344KB
-
MD5
246f863339661fec85869da29d2b2878
-
SHA1
85f109292353baaadfdbea500b469258faf0b8f3
-
SHA256
e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66
-
SHA512
2d99b4423885517ad97a37d733d615faa0fe327137e84ea8c72b64b7618d3ee4938313cb622f2a10a37bab318365786bce95659b0c9c2c9ecf3af93245e5d9c3
-
SSDEEP
6144:yuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qL3ks3ih1XGWp:Z6Wq4aaE6KwyF5L0Y2D1PqLF3c20
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4840 commander.exe 3748 commander.exe -
resource yara_rule behavioral2/memory/2472-132-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral2/memory/2472-139-0x0000000000400000-0x00000000004C8000-memory.dmp upx -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2472-139-0x0000000000400000-0x00000000004C8000-memory.dmp autoit_exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\commander.exe e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\svhost.exe e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe File opened for modification C:\Windows\svhost.exe e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2472 e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe 2472 e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2472 wrote to memory of 4840 2472 e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe 82 PID 2472 wrote to memory of 4840 2472 e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe 82 PID 2472 wrote to memory of 4840 2472 e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe 82 PID 4840 wrote to memory of 2080 4840 commander.exe 84 PID 4840 wrote to memory of 2080 4840 commander.exe 84 PID 4840 wrote to memory of 2080 4840 commander.exe 84 PID 2472 wrote to memory of 3748 2472 e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe 85 PID 2472 wrote to memory of 3748 2472 e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe 85 PID 2472 wrote to memory of 3748 2472 e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe 85 PID 3748 wrote to memory of 4848 3748 commander.exe 87 PID 3748 wrote to memory of 4848 3748 commander.exe 87 PID 3748 wrote to memory of 4848 3748 commander.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe"C:\Users\Admin\AppData\Local\Temp\e77dac09454be0cf386216b5a954c63d312f4cd5cc430a5074e8b79bfdb98f66.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\commander.execommander.exe /C at 9:00 /interactive C:\Windows\svhost.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\at.exeat 9:00 /interactive C:\Windows\svhost.exe3⤵PID:2080
-
-
-
C:\Windows\SysWOW64\commander.execommander.exe /C schtasks /run /tn at12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /tn at13⤵PID:4848
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
231KB
MD58e18f2878034e5ed4f901524fbc22a7a
SHA1165f57f6020c082ee4f88b6f076ff843298610b5
SHA256dbe0d19a044651b99208cc26207a1e72d118ada977b561e598ab94b3304fd643
SHA5123d3a1a4d8a75bb4306ed00915a74c55f0231f637c6d49f788feb1e45c383d729b8f63809e7c0c42b656f5d7ab20b9330a888eefa003c5cfb62b2c0677dce9e49
-
Filesize
231KB
MD58e18f2878034e5ed4f901524fbc22a7a
SHA1165f57f6020c082ee4f88b6f076ff843298610b5
SHA256dbe0d19a044651b99208cc26207a1e72d118ada977b561e598ab94b3304fd643
SHA5123d3a1a4d8a75bb4306ed00915a74c55f0231f637c6d49f788feb1e45c383d729b8f63809e7c0c42b656f5d7ab20b9330a888eefa003c5cfb62b2c0677dce9e49