Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
156s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26/11/2022, 18:51
Static task
static1
Behavioral task
behavioral1
Sample
2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe
Resource
win10v2004-20221111-en
General
-
Target
2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe
-
Size
292KB
-
MD5
2bec47844b2158b8971395794301e712
-
SHA1
85e9fe6a3118fa5bf352fef7ecf8b711a45a3968
-
SHA256
2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809
-
SHA512
e0d492b85856f4a7e675fe30fbc223573dd214e12dd7b043ac84f10098477181ae59f04aa44a389159f39c91820268e02dc9d4a79910846d0da92241023c277a
-
SSDEEP
6144:UwcYntNJbzX8qhqEIJHqvzRb8zCgoniL2L0U1wer6:UwcYLJ///IJydbXqU1Bm
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe" WScript.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini CasPol.exe File opened for modification C:\Windows\assembly\Desktop.ini CasPol.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4184 set thread context of 1824 4184 2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe 84 -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly CasPol.exe File created C:\Windows\assembly\Desktop.ini CasPol.exe File opened for modification C:\Windows\assembly\Desktop.ini CasPol.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1824 CasPol.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4184 2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe Token: SeDebugPrivilege 1824 CasPol.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1824 CasPol.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4184 wrote to memory of 1824 4184 2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe 84 PID 4184 wrote to memory of 1824 4184 2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe 84 PID 4184 wrote to memory of 1824 4184 2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe 84 PID 4184 wrote to memory of 1824 4184 2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe 84 PID 4184 wrote to memory of 1824 4184 2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe 84 PID 4184 wrote to memory of 1824 4184 2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe 84 PID 4184 wrote to memory of 1824 4184 2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe 84 PID 4184 wrote to memory of 1824 4184 2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe 84 PID 4184 wrote to memory of 2004 4184 2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe 85 PID 4184 wrote to memory of 2004 4184 2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe 85 PID 4184 wrote to memory of 2004 4184 2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe 85 PID 2004 wrote to memory of 2196 2004 cmd.exe 87 PID 2004 wrote to memory of 2196 2004 cmd.exe 87 PID 2004 wrote to memory of 2196 2004 cmd.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe"C:\Users\Admin\AppData\Local\Temp\2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4184 -
\??\c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe"c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe"2⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1824
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\fuckyounod32.vbs"3⤵
- Adds Run key to start application
PID:2196
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
219B
MD5b559ac384267491c0796d801b39e4979
SHA16762fd6ee2849c743dfd2e3d6743b3f26bc32b9d
SHA25685f64caab11088c4fa85d0caebc9086178eeef9e322be7034311cf466430302e
SHA512292df546edec7225fca39816d4171924ced925ca00d316d7694ecfb00a2cb4d81315493e2af759121795413a5e0116abcd11b5003e332fec3a5dcf40fc24de7e