Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

4

Static

static

bfc12957a4...86.exe

windows7-x64

3

bfc12957a4...86.exe

windows10-2004-x64

4

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/11/2022, 10:33 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bfc12957a4fadc56cf5130da9203885743eeccbb8c8b77bb3988219d84bf9f86.exe

  • Size

    391KB

  • MD5

    69d3efdcefbe2c48da373869723c4581

  • SHA1

    36e7359bc003ef18410def193e5dc58833c398e4

  • SHA256

    bfc12957a4fadc56cf5130da9203885743eeccbb8c8b77bb3988219d84bf9f86

  • SHA512

    43a9eac776d5dca213e921f8e2bf0fd0c9ee77f14ee86ddb2d33612f70590a0189ecd55eb93b06df0351459e11a4cb771e07ecefb77fd857200791c8c210828b

  • SSDEEP

    6144:oob6m1dFAokqnYV9wpmqSafvaxcEBRylI:o+1PA/qnYV9wpmqSafvaOEBRy

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bfc12957a4fadc56cf5130da9203885743eeccbb8c8b77bb3988219d84bf9f86.exe
    "C:\Users\Admin\AppData\Local\Temp\bfc12957a4fadc56cf5130da9203885743eeccbb8c8b77bb3988219d84bf9f86.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4756
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 940
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:1668

Network

  • flag-unknown
    DNS
    97.97.242.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.97.242.52.in-addr.arpa
    IN PTR
    Response
  • flag-unknown
    DNS
    2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
    IN PTR
    Response
  • 52.182.141.63:443
    322 B
     7
  • 93.184.221.240:80
    322 B
     7
  • 93.184.221.240:80
    322 B
     7
  • 8.8.8.8:53
    97.97.242.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    97.97.242.52.in-addr.arpa

  • 8.8.8.8:53
    2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
    dns
    118 B
     204 B
     1
    1

    DNS Request

    2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4756-132-0x0000000074AB0000-0x0000000075061000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4756-134-0x0000000074AB0000-0x0000000075061000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4756-135-0x0000000074AB0000-0x0000000075061000-memory.dmp

    Filesize

    5.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.