Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
66s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
25/11/2022, 18:31
Static task
static1
Behavioral task
behavioral1
Sample
b9508eca3f9a56d2a93bca1b34a9080b18efa0b782200a91d93c02c0afad0d53.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
b9508eca3f9a56d2a93bca1b34a9080b18efa0b782200a91d93c02c0afad0d53.exe
Resource
win10v2004-20220901-en
General
-
Target
b9508eca3f9a56d2a93bca1b34a9080b18efa0b782200a91d93c02c0afad0d53.exe
-
Size
581KB
-
MD5
1087b44d6a6c573ebed09ea02969590f
-
SHA1
854df27c301f865aa9fd9312cfa5712b30a9bb5e
-
SHA256
b9508eca3f9a56d2a93bca1b34a9080b18efa0b782200a91d93c02c0afad0d53
-
SHA512
ac2785f1362294334850a38bebee599c592f19adf3a20cee7630a3faef39216c1e6043d036cc77621fd9107ba8304a04daa1e1cadb8d5ff699b1df36b183ee73
-
SSDEEP
12288:3QFagl4ZjL++kpFDI+4hPBH1S4+gHRMEM9LCB9Gl/DN:3QFNC+fI+g1S4+gHOt9LCc/D
Malware Config
Signatures
-
Downloads MZ/PE file
-
resource yara_rule behavioral2/memory/4316-132-0x0000000002150000-0x0000000002282000-memory.dmp upx behavioral2/memory/4316-136-0x0000000002150000-0x0000000002282000-memory.dmp upx behavioral2/memory/4316-137-0x0000000002150000-0x0000000002282000-memory.dmp upx behavioral2/memory/4316-139-0x0000000002150000-0x0000000002282000-memory.dmp upx behavioral2/memory/4316-140-0x0000000002150000-0x0000000002282000-memory.dmp upx behavioral2/memory/4316-141-0x0000000002150000-0x0000000002282000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4316 b9508eca3f9a56d2a93bca1b34a9080b18efa0b782200a91d93c02c0afad0d53.exe 4316 b9508eca3f9a56d2a93bca1b34a9080b18efa0b782200a91d93c02c0afad0d53.exe 4316 b9508eca3f9a56d2a93bca1b34a9080b18efa0b782200a91d93c02c0afad0d53.exe 4316 b9508eca3f9a56d2a93bca1b34a9080b18efa0b782200a91d93c02c0afad0d53.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 4316 b9508eca3f9a56d2a93bca1b34a9080b18efa0b782200a91d93c02c0afad0d53.exe Token: SeCreatePagefilePrivilege 4316 b9508eca3f9a56d2a93bca1b34a9080b18efa0b782200a91d93c02c0afad0d53.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4316 b9508eca3f9a56d2a93bca1b34a9080b18efa0b782200a91d93c02c0afad0d53.exe 4316 b9508eca3f9a56d2a93bca1b34a9080b18efa0b782200a91d93c02c0afad0d53.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9508eca3f9a56d2a93bca1b34a9080b18efa0b782200a91d93c02c0afad0d53.exe"C:\Users\Admin\AppData\Local\Temp\b9508eca3f9a56d2a93bca1b34a9080b18efa0b782200a91d93c02c0afad0d53.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4316