Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    152s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/11/2022, 13:35

General

  • Target

    197c71387c8350bf14d11fbd629e34eb03ac2db863f0b7502ff50bf1dfbeaba6.exe

  • Size

    1.9MB

  • MD5

    b6c924512eeb2bf21ee6238d3a3319aa

  • SHA1

    2e52443488b20f7675af80e8ed3911db4ba673a1

  • SHA256

    197c71387c8350bf14d11fbd629e34eb03ac2db863f0b7502ff50bf1dfbeaba6

  • SHA512

    e1bcc6df964a5cf50de6659ca872d9f2bb2e5f92123358019bec28021278ac6d12c7f4627020bdcf81507a81449fd52f6739a2d258b1582b62d459aa15efc08a

  • SSDEEP

    49152:3zh0TB9kenwcdUC9g0zXNk+rRas21xh9qJMtn2bJ7Ck7n:jhkbkcwcH9g0zXGh1xhYMl2bJ7Cin

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\197c71387c8350bf14d11fbd629e34eb03ac2db863f0b7502ff50bf1dfbeaba6.exe
    "C:\Users\Admin\AppData\Local\Temp\197c71387c8350bf14d11fbd629e34eb03ac2db863f0b7502ff50bf1dfbeaba6.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4236
    • C:\Users\Admin\AppData\Local\Temp\VideoConverterUltimate.exe
      "C:\Users\Admin\AppData\Local\Temp\VideoConverterUltimate.exe"
      2⤵
      • Executes dropped EXE
      PID:3736
    • C:\Users\Admin\AppData\Local\Temp\xxxxxx.exe
      "C:\Users\Admin\AppData\Local\Temp\xxxxxx.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3356
      • C:\Windows\SysWOW64\ipconfig.exe
        "C:\Windows\System32\ipconfig.exe" /release
        3⤵
        • Gathers network information
        PID:4988
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 684
        3⤵
        • Program crash
        PID:4228
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3356 -ip 3356
    1⤵
      PID:1392

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\VideoConverterUltimate.exe

      Filesize

      5.2MB

      MD5

      9d1baab652009aa90ce9c62c6921094b

      SHA1

      b8226ab4468a2249b178e9139657be43610041a1

      SHA256

      a7c1084639c52d0201ea2b0ac471f77f9182bd0f021bdf1e1edabe9154d8fd9c

      SHA512

      d4b8f18360c95174357d6f60f6554fcd839d42cfb9b30e33162abcdd493efc4fa228d3377b3c43af9140267cc28be4a413e8c1ae1645d679c43415a1af1e85a9

    • C:\Users\Admin\AppData\Local\Temp\VideoConverterUltimate.exe

      Filesize

      5.2MB

      MD5

      9d1baab652009aa90ce9c62c6921094b

      SHA1

      b8226ab4468a2249b178e9139657be43610041a1

      SHA256

      a7c1084639c52d0201ea2b0ac471f77f9182bd0f021bdf1e1edabe9154d8fd9c

      SHA512

      d4b8f18360c95174357d6f60f6554fcd839d42cfb9b30e33162abcdd493efc4fa228d3377b3c43af9140267cc28be4a413e8c1ae1645d679c43415a1af1e85a9

    • C:\Users\Admin\AppData\Local\Temp\xxxxxx.exe

      Filesize

      548KB

      MD5

      4d6bc1d7974c06161e1ed65c7f0a20a8

      SHA1

      1a98ef9a70d39f916a81e0e8c9cf95c8c145744b

      SHA256

      024140fb411c120a4f7bdab9a46959b60da178910106bd0d73196a479243947c

      SHA512

      c2d1b78364de65346e64e0fd0bed87c4ab110de1e03705b68489503f5069053a647d478c7b0c5217cc8f9f40fe39deceb2c809a714a92ffc8c741d273799e5ee

    • C:\Users\Admin\AppData\Local\Temp\xxxxxx.exe

      Filesize

      548KB

      MD5

      4d6bc1d7974c06161e1ed65c7f0a20a8

      SHA1

      1a98ef9a70d39f916a81e0e8c9cf95c8c145744b

      SHA256

      024140fb411c120a4f7bdab9a46959b60da178910106bd0d73196a479243947c

      SHA512

      c2d1b78364de65346e64e0fd0bed87c4ab110de1e03705b68489503f5069053a647d478c7b0c5217cc8f9f40fe39deceb2c809a714a92ffc8c741d273799e5ee