Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

0896705f13...6a.exe

windows7-x64

8

0896705f13...6a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    91s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/11/2022, 06:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0896705f13b563d7856bf0d53257cada9bee091923fa2fb39b966e3aeb2e436a.exe

  • Size

    9.2MB

  • MD5

    58a253944ded5623aee1a46c801d0a99

  • SHA1

    c28f3d5794af7707699a7610e78a8e91c0552b42

  • SHA256

    0896705f13b563d7856bf0d53257cada9bee091923fa2fb39b966e3aeb2e436a

  • SHA512

    78a4d936dafdec09994e7c02f90035b3e9ca002f0769364e89f671846afac9c06f506acb845b823b554d0300a507796dd28f27e35dc3d00b07884c380e970a59

  • SSDEEP

    196608:we3H9CycWxqu7QDCOoisMvXpKYvYulYE0/ccNQ:we3dCy71kD4isMhGtcEQ

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0896705f13b563d7856bf0d53257cada9bee091923fa2fb39b966e3aeb2e436a.exe
    "C:\Users\Admin\AppData\Local\Temp\0896705f13b563d7856bf0d53257cada9bee091923fa2fb39b966e3aeb2e436a.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4964
    • C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
      __IRAOFF:520716 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\0896705f13b563d7856bf0d53257cada9bee091923fa2fb39b966e3aeb2e436a.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4912
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c tasklist.exe>list.tmp
        3⤵
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:1124
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist.exe
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:1472

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
    Filesize

    440KB

    MD5

    75ca7ff96bf5a316c3af2de6a412bd54

    SHA1

    0a093950790ff0dddff6f5f29c6b02c10997e0c5

    SHA256

    d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

    SHA512

    b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
    Filesize

    440KB

    MD5

    75ca7ff96bf5a316c3af2de6a412bd54

    SHA1

    0a093950790ff0dddff6f5f29c6b02c10997e0c5

    SHA256

    d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

    SHA512

    b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

    Download Submit

  • memory/4912-135-0x0000000000400000-0x0000000000527000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4912-138-0x0000000000400000-0x0000000000527000-memory.dmp

    Filesize

    1.2MB

    Download