Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
25/11/2022, 15:55
General
-
Target
e1a2f51dadfee7a296d8c0fa2941c58313724d5158a483756d9814a028ba8924.exe
-
Size
305KB
-
MD5
a750e2f4ae05402949bb137a265fb170
-
SHA1
cbcffb2851eff56376d4b57dd9ae6e2608625d88
-
SHA256
e1a2f51dadfee7a296d8c0fa2941c58313724d5158a483756d9814a028ba8924
-
SHA512
601933eeb8c5163cf198f9019a8f9459b4f1b79082bc50fada5e5f2e8aab2952fbc5f1fb55950a2cd1129e04294293348601a9d3c5e0317d356dd162562f3364
-
SSDEEP
6144:MAfMSIUI4fyB6szPXz4lk1ZIR7KySE76cseR0:MmMSIifyRPXclk1ZgKEGcseR0
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\e1a2f51dadfee7a296d8c0fa2941c58313724d5158a483756d9814a028ba8924.exe"C:\Users\Admin\AppData\Local\Temp\e1a2f51dadfee7a296d8c0fa2941c58313724d5158a483756d9814a028ba8924.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop sharedaccess3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\e1a2f51dadfee7a296d8c0fa2941c58313724d5158a483756d9814a028ba8924.exe"C:\Users\Admin\AppData\Local\Temp\e1a2f51dadfee7a296d8c0fa2941c58313724d5158a483756d9814a028ba8924.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Arow\uthih.exe"C:\Users\Admin\AppData\Roaming\Arow\uthih.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop sharedaccess5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess6⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Arow\uthih.exe"C:\Users\Admin\AppData\Roaming\Arow\uthih.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp65b4437d.bat"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307B
MD57f7bda14c4f9be905554d7e3a1512ff0
SHA13f3030b77ab3f504fe72b523e1e81b12ee4ffa92
SHA256f8adb7e7dcb69bd5675ba46e2764f45db7996940d789d29408281b465cc0d345
SHA512813c50d4a9dd0f217b0d1abb1c70f30fcb8e301851b0b25ef6c639c007e58b238b067636b0e7d06f66dd1f28db77472160c737c53ce83b59f75363623366f742
-
Filesize
305KB
MD5ab3d614871f907576ed2f856fc77da17
SHA1ac60cfee7d155a239718101465e16f2701ff8938
SHA2565af9afc7012016850f77667b59f3e2bb70ccf121442e35ffc7a557a9bdaf39bd
SHA512676bc3915ebe3ed95354758bade840fc70fce392c3139d144e79ae068cce14a0e3e987f73a6d726dcbbb613b4f73b3a92a23f982ca4c3e039c8cd2144bb81366
-
Filesize
305KB
MD5ab3d614871f907576ed2f856fc77da17
SHA1ac60cfee7d155a239718101465e16f2701ff8938
SHA2565af9afc7012016850f77667b59f3e2bb70ccf121442e35ffc7a557a9bdaf39bd
SHA512676bc3915ebe3ed95354758bade840fc70fce392c3139d144e79ae068cce14a0e3e987f73a6d726dcbbb613b4f73b3a92a23f982ca4c3e039c8cd2144bb81366
-
Filesize
305KB
MD5ab3d614871f907576ed2f856fc77da17
SHA1ac60cfee7d155a239718101465e16f2701ff8938
SHA2565af9afc7012016850f77667b59f3e2bb70ccf121442e35ffc7a557a9bdaf39bd
SHA512676bc3915ebe3ed95354758bade840fc70fce392c3139d144e79ae068cce14a0e3e987f73a6d726dcbbb613b4f73b3a92a23f982ca4c3e039c8cd2144bb81366
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB