Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
204s -
max time network
209s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25/11/2022, 17:03
Static task
static1
Behavioral task
behavioral1
Sample
5c1fde5711e603055eda9c5c45df3699a770bffc5498331db5f51963cedd0c5c.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
5c1fde5711e603055eda9c5c45df3699a770bffc5498331db5f51963cedd0c5c.exe
Resource
win10v2004-20221111-en
General
-
Target
5c1fde5711e603055eda9c5c45df3699a770bffc5498331db5f51963cedd0c5c.exe
-
Size
585KB
-
MD5
593c49bcff04c91af78483c1d8d87cbd
-
SHA1
15499641c22650e742a2497b81de0fec8a6a5f84
-
SHA256
5c1fde5711e603055eda9c5c45df3699a770bffc5498331db5f51963cedd0c5c
-
SHA512
9523027b47ee703211fb69858fa9213087c01186586a94d10f678ef35929fc211eea1be8e0acd285e44d9c96b1ee950ea280ee1fc547a1c861ae32c5923fbdaf
-
SSDEEP
12288:YsTrR2sP7XY655ig1Gi9iDen9Fsl7ut0ZOwRdu+qMd0QZh9u:YsTrR5P7XY655ig1Gi9iDen9s7utuvvu
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2664 image.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 3444 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 5c1fde5711e603055eda9c5c45df3699a770bffc5498331db5f51963cedd0c5c.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7e2ffce1a32cea53c8ed10142ed958be.exe image.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7e2ffce1a32cea53c8ed10142ed958be.exe image.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7e2ffce1a32cea53c8ed10142ed958be = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\image.exe\" .." image.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7e2ffce1a32cea53c8ed10142ed958be = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\image.exe\" .." image.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 2664 image.exe Token: 33 2664 image.exe Token: SeIncBasePriorityPrivilege 2664 image.exe Token: 33 2664 image.exe Token: SeIncBasePriorityPrivilege 2664 image.exe Token: 33 2664 image.exe Token: SeIncBasePriorityPrivilege 2664 image.exe Token: 33 2664 image.exe Token: SeIncBasePriorityPrivilege 2664 image.exe Token: 33 2664 image.exe Token: SeIncBasePriorityPrivilege 2664 image.exe Token: 33 2664 image.exe Token: SeIncBasePriorityPrivilege 2664 image.exe Token: 33 2664 image.exe Token: SeIncBasePriorityPrivilege 2664 image.exe Token: 33 2664 image.exe Token: SeIncBasePriorityPrivilege 2664 image.exe Token: 33 2664 image.exe Token: SeIncBasePriorityPrivilege 2664 image.exe Token: 33 2664 image.exe Token: SeIncBasePriorityPrivilege 2664 image.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4000 wrote to memory of 2664 4000 5c1fde5711e603055eda9c5c45df3699a770bffc5498331db5f51963cedd0c5c.exe 82 PID 4000 wrote to memory of 2664 4000 5c1fde5711e603055eda9c5c45df3699a770bffc5498331db5f51963cedd0c5c.exe 82 PID 2664 wrote to memory of 3444 2664 image.exe 83 PID 2664 wrote to memory of 3444 2664 image.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c1fde5711e603055eda9c5c45df3699a770bffc5498331db5f51963cedd0c5c.exe"C:\Users\Admin\AppData\Local\Temp\5c1fde5711e603055eda9c5c45df3699a770bffc5498331db5f51963cedd0c5c.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Users\Admin\AppData\Local\Temp\image.exe"C:\Users\Admin\AppData\Local\Temp\image.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\image.exe" "image.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:3444
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
585KB
MD5593c49bcff04c91af78483c1d8d87cbd
SHA115499641c22650e742a2497b81de0fec8a6a5f84
SHA2565c1fde5711e603055eda9c5c45df3699a770bffc5498331db5f51963cedd0c5c
SHA5129523027b47ee703211fb69858fa9213087c01186586a94d10f678ef35929fc211eea1be8e0acd285e44d9c96b1ee950ea280ee1fc547a1c861ae32c5923fbdaf
-
Filesize
585KB
MD5593c49bcff04c91af78483c1d8d87cbd
SHA115499641c22650e742a2497b81de0fec8a6a5f84
SHA2565c1fde5711e603055eda9c5c45df3699a770bffc5498331db5f51963cedd0c5c
SHA5129523027b47ee703211fb69858fa9213087c01186586a94d10f678ef35929fc211eea1be8e0acd285e44d9c96b1ee950ea280ee1fc547a1c861ae32c5923fbdaf