Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    213s
  • max time network
    246s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/11/2022, 20:54

General

  • Target

    0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca.exe

  • Size

    202KB

  • MD5

    6c33623044bed83d7ab579bb8dff8fea

  • SHA1

    1181d74579c8eccc84ea5ceaf5eb85bc8934dc99

  • SHA256

    0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca

  • SHA512

    55528c731445b86dceb5ca06bea56dbe240e3af1b4976955abe49fb16391ae24163f5d47a33f048ec1f74c093c38124c2750a90a716f219c10e7331bb95c9c2c

  • SSDEEP

    3072:sUhH+lIxpQoyjeRhDMiERHi+Oaf9ZJq8/Ng8TTeYEUhOrGp2:V+qXDyShD0Fi+df9ZYaJmYZA0

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca.exe
    "C:\Users\Admin\AppData\Local\Temp\0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Users\Admin\AppData\LocalhhNFCSRcmz.exe
      "C:\Users\Admin\AppData\LocalhhNFCSRcmz.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4304

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalhhNFCSRcmz.exe

    Filesize

    72KB

    MD5

    8ade27886bd4b45661361a87ff22540d

    SHA1

    705d67ad604f5a2ed770a8025299405ee665beac

    SHA256

    c1528516efee7e396698ce83ddb177e83e797b3df6f6de1c60421239e67dc942

    SHA512

    6d62f9197ddcbd0ede17686398dc527946a47fb48860e3c054cbd365bf630d44eba418652798ef8a1eded8c800d5b7c87d9d8742d3061ff7a629809c8958800a

  • C:\Users\Admin\AppData\LocalhhNFCSRcmz.exe

    Filesize

    72KB

    MD5

    8ade27886bd4b45661361a87ff22540d

    SHA1

    705d67ad604f5a2ed770a8025299405ee665beac

    SHA256

    c1528516efee7e396698ce83ddb177e83e797b3df6f6de1c60421239e67dc942

    SHA512

    6d62f9197ddcbd0ede17686398dc527946a47fb48860e3c054cbd365bf630d44eba418652798ef8a1eded8c800d5b7c87d9d8742d3061ff7a629809c8958800a

  • memory/2164-132-0x00007FFED9000000-0x00007FFED9A36000-memory.dmp

    Filesize

    10.2MB

  • memory/4304-136-0x0000000074D70000-0x0000000075321000-memory.dmp

    Filesize

    5.7MB

  • memory/4304-137-0x0000000074D70000-0x0000000075321000-memory.dmp

    Filesize

    5.7MB