Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
171s -
max time network
214s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24/11/2022, 22:59
Static task
static1
Behavioral task
behavioral1
Sample
831a090aca43ee9a8a104f5bfdedcbcd29cd97355e66f6c703889aab5c4a6090.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
831a090aca43ee9a8a104f5bfdedcbcd29cd97355e66f6c703889aab5c4a6090.exe
Resource
win10v2004-20221111-en
General
-
Target
831a090aca43ee9a8a104f5bfdedcbcd29cd97355e66f6c703889aab5c4a6090.exe
-
Size
286KB
-
MD5
979efe8b0c92a12c7672c13a1c411023
-
SHA1
57659c0d9c152d0f50b8b790dcbbfbb25ad2a5a0
-
SHA256
831a090aca43ee9a8a104f5bfdedcbcd29cd97355e66f6c703889aab5c4a6090
-
SHA512
d994cf62a5ba18180e5b0d8e1c43cbfa30b17816c4d0facbbdae45c96dbe5722954606941a4f0a7c97bd8492a9d653acd7dd53a64d1b52123290a58e08f0b572
-
SSDEEP
6144:rLtYLoU6a/4uXBRXWQMuRRR+yDPlcDV60Ls1onctlj:3iLxBOir++Pl2gonI
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2012 831a090aca43ee9a8a104f5bfdedcbcd29cd97355e66f6c703889aab5c4a6090.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 831a090aca43ee9a8a104f5bfdedcbcd29cd97355e66f6c703889aab5c4a6090.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Default Key = "C:\\Users\\Admin\\AppData\\Roaming\\Default Folder\\Default File.exe" 831a090aca43ee9a8a104f5bfdedcbcd29cd97355e66f6c703889aab5c4a6090.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Default Key = "\\Default Folder\\Default File.exe" 831a090aca43ee9a8a104f5bfdedcbcd29cd97355e66f6c703889aab5c4a6090.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1280 PING.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1356 831a090aca43ee9a8a104f5bfdedcbcd29cd97355e66f6c703889aab5c4a6090.exe Token: SeDebugPrivilege 2012 831a090aca43ee9a8a104f5bfdedcbcd29cd97355e66f6c703889aab5c4a6090.exe Token: SeDebugPrivilege 2012 831a090aca43ee9a8a104f5bfdedcbcd29cd97355e66f6c703889aab5c4a6090.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1356 wrote to memory of 2012 1356 831a090aca43ee9a8a104f5bfdedcbcd29cd97355e66f6c703889aab5c4a6090.exe 84 PID 1356 wrote to memory of 2012 1356 831a090aca43ee9a8a104f5bfdedcbcd29cd97355e66f6c703889aab5c4a6090.exe 84 PID 1356 wrote to memory of 2012 1356 831a090aca43ee9a8a104f5bfdedcbcd29cd97355e66f6c703889aab5c4a6090.exe 84 PID 1356 wrote to memory of 4232 1356 831a090aca43ee9a8a104f5bfdedcbcd29cd97355e66f6c703889aab5c4a6090.exe 85 PID 1356 wrote to memory of 4232 1356 831a090aca43ee9a8a104f5bfdedcbcd29cd97355e66f6c703889aab5c4a6090.exe 85 PID 1356 wrote to memory of 4232 1356 831a090aca43ee9a8a104f5bfdedcbcd29cd97355e66f6c703889aab5c4a6090.exe 85 PID 4232 wrote to memory of 1280 4232 cmd.exe 90 PID 4232 wrote to memory of 1280 4232 cmd.exe 90 PID 4232 wrote to memory of 1280 4232 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\831a090aca43ee9a8a104f5bfdedcbcd29cd97355e66f6c703889aab5c4a6090.exe"C:\Users\Admin\AppData\Local\Temp\831a090aca43ee9a8a104f5bfdedcbcd29cd97355e66f6c703889aab5c4a6090.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Users\Admin\AppData\Local\Temp\831a090aca43ee9a8a104f5bfdedcbcd29cd97355e66f6c703889aab5c4a6090\831a090aca43ee9a8a104f5bfdedcbcd29cd97355e66f6c703889aab5c4a6090.exe"C:\Users\Admin\AppData\Local\Temp\831a090aca43ee9a8a104f5bfdedcbcd29cd97355e66f6c703889aab5c4a6090\831a090aca43ee9a8a104f5bfdedcbcd29cd97355e66f6c703889aab5c4a6090.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\831a090aca43ee9a8a104f5bfdedcbcd29cd97355e66f6c703889aab5c4a6090.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- Runs ping.exe
PID:1280
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\831a090aca43ee9a8a104f5bfdedcbcd29cd97355e66f6c703889aab5c4a6090\831a090aca43ee9a8a104f5bfdedcbcd29cd97355e66f6c703889aab5c4a6090.exe
Filesize286KB
MD5979efe8b0c92a12c7672c13a1c411023
SHA157659c0d9c152d0f50b8b790dcbbfbb25ad2a5a0
SHA256831a090aca43ee9a8a104f5bfdedcbcd29cd97355e66f6c703889aab5c4a6090
SHA512d994cf62a5ba18180e5b0d8e1c43cbfa30b17816c4d0facbbdae45c96dbe5722954606941a4f0a7c97bd8492a9d653acd7dd53a64d1b52123290a58e08f0b572
-
C:\Users\Admin\AppData\Local\Temp\831a090aca43ee9a8a104f5bfdedcbcd29cd97355e66f6c703889aab5c4a6090\831a090aca43ee9a8a104f5bfdedcbcd29cd97355e66f6c703889aab5c4a6090.exe
Filesize286KB
MD5979efe8b0c92a12c7672c13a1c411023
SHA157659c0d9c152d0f50b8b790dcbbfbb25ad2a5a0
SHA256831a090aca43ee9a8a104f5bfdedcbcd29cd97355e66f6c703889aab5c4a6090
SHA512d994cf62a5ba18180e5b0d8e1c43cbfa30b17816c4d0facbbdae45c96dbe5722954606941a4f0a7c97bd8492a9d653acd7dd53a64d1b52123290a58e08f0b572