Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
213s -
max time network
246s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23/11/2022, 20:54
Static task
static1
Behavioral task
behavioral1
Sample
0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca.exe
Resource
win10v2004-20221111-en
General
-
Target
0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca.exe
-
Size
202KB
-
MD5
6c33623044bed83d7ab579bb8dff8fea
-
SHA1
1181d74579c8eccc84ea5ceaf5eb85bc8934dc99
-
SHA256
0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca
-
SHA512
55528c731445b86dceb5ca06bea56dbe240e3af1b4976955abe49fb16391ae24163f5d47a33f048ec1f74c093c38124c2750a90a716f219c10e7331bb95c9c2c
-
SSDEEP
3072:sUhH+lIxpQoyjeRhDMiERHi+Oaf9ZJq8/Ng8TTeYEUhOrGp2:V+qXDyShD0Fi+df9ZYaJmYZA0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4304 LocalhhNFCSRcmz.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation 0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4304 LocalhhNFCSRcmz.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2164 wrote to memory of 4304 2164 0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca.exe 82 PID 2164 wrote to memory of 4304 2164 0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca.exe 82 PID 2164 wrote to memory of 4304 2164 0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca.exe"C:\Users\Admin\AppData\Local\Temp\0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Users\Admin\AppData\LocalhhNFCSRcmz.exe"C:\Users\Admin\AppData\LocalhhNFCSRcmz.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4304
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD58ade27886bd4b45661361a87ff22540d
SHA1705d67ad604f5a2ed770a8025299405ee665beac
SHA256c1528516efee7e396698ce83ddb177e83e797b3df6f6de1c60421239e67dc942
SHA5126d62f9197ddcbd0ede17686398dc527946a47fb48860e3c054cbd365bf630d44eba418652798ef8a1eded8c800d5b7c87d9d8742d3061ff7a629809c8958800a
-
Filesize
72KB
MD58ade27886bd4b45661361a87ff22540d
SHA1705d67ad604f5a2ed770a8025299405ee665beac
SHA256c1528516efee7e396698ce83ddb177e83e797b3df6f6de1c60421239e67dc942
SHA5126d62f9197ddcbd0ede17686398dc527946a47fb48860e3c054cbd365bf630d44eba418652798ef8a1eded8c800d5b7c87d9d8742d3061ff7a629809c8958800a