Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
200s -
max time network
209s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26/11/2022, 21:26
Static task
static1
Behavioral task
behavioral1
Sample
d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe
Resource
win10v2004-20221111-en
General
-
Target
d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe
-
Size
272KB
-
MD5
a374384e1b398b929e3ff31be5579c80
-
SHA1
921f79049cc4c23304cdfefdd844b84aeeed87a1
-
SHA256
d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba
-
SHA512
7d81967fb224ccaa379763d649b15d78292c6a8cc6cc588607418a3b0c1e6afa7526eb02e99e74f623a9280b5531cd206928bc788462aab931f2aafd08d4c57e
-
SSDEEP
6144:6MrGiRoPEsoIQX/S+uCl+s9tCvacVOqgOBCctl+m:nrzC8s1kl+s9tsaWOqgOYIn
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3104 d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HIYFAVMD = "C:\\Users\\Admin\\AppData\\Roaming\\System\\Svchost.exe" d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HIYFAVMD = "\\System\\Svchost.exe" d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe File opened for modification C:\Windows\assembly\Desktop.ini d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe File created C:\Windows\assembly\Desktop.ini d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe File opened for modification C:\Windows\assembly\Desktop.ini d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1832 PING.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3104 d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3104 d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe Token: SeDebugPrivilege 3104 d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe Token: SeDebugPrivilege 3240 d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3104 d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3240 wrote to memory of 3104 3240 d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe 85 PID 3240 wrote to memory of 3104 3240 d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe 85 PID 3240 wrote to memory of 3104 3240 d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe 85 PID 3240 wrote to memory of 3428 3240 d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe 86 PID 3240 wrote to memory of 3428 3240 d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe 86 PID 3240 wrote to memory of 3428 3240 d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe 86 PID 3428 wrote to memory of 1832 3428 cmd.exe 88 PID 3428 wrote to memory of 1832 3428 cmd.exe 88 PID 3428 wrote to memory of 1832 3428 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe"C:\Users\Admin\AppData\Local\Temp\d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Users\Admin\AppData\Local\Temp\d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba\d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe"C:\Users\Admin\AppData\Local\Temp\d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba\d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3104
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- Runs ping.exe
PID:1832
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba\d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe
Filesize272KB
MD5a374384e1b398b929e3ff31be5579c80
SHA1921f79049cc4c23304cdfefdd844b84aeeed87a1
SHA256d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba
SHA5127d81967fb224ccaa379763d649b15d78292c6a8cc6cc588607418a3b0c1e6afa7526eb02e99e74f623a9280b5531cd206928bc788462aab931f2aafd08d4c57e
-
C:\Users\Admin\AppData\Local\Temp\d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba\d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe
Filesize272KB
MD5a374384e1b398b929e3ff31be5579c80
SHA1921f79049cc4c23304cdfefdd844b84aeeed87a1
SHA256d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba
SHA5127d81967fb224ccaa379763d649b15d78292c6a8cc6cc588607418a3b0c1e6afa7526eb02e99e74f623a9280b5531cd206928bc788462aab931f2aafd08d4c57e