Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2022, 11:20
Static task
static1
Behavioral task
behavioral1
Sample
b32051f148d14ec759f5ff05e8baad7c9e97e3ee73aaade3b607496de37709bb.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
b32051f148d14ec759f5ff05e8baad7c9e97e3ee73aaade3b607496de37709bb.exe
Resource
win10v2004-20220901-en
General
-
Target
b32051f148d14ec759f5ff05e8baad7c9e97e3ee73aaade3b607496de37709bb.exe
-
Size
3.4MB
-
MD5
21f420cf12acf484d126f5b153131e7a
-
SHA1
46979b39b5b3ec52d3a9d582cf74a9c96e8cc26e
-
SHA256
b32051f148d14ec759f5ff05e8baad7c9e97e3ee73aaade3b607496de37709bb
-
SHA512
a058ce6bf174596a036a20f961c19b307ecf08dd6aeae4b85aa10aa6e1547236673e239510e3279f6851e31aa3d2a68ccf308231e6a31b679c93e41b3a8b270b
-
SSDEEP
98304:c3BRF/1E74wVxlc5H6rtojimBHeT0yzvmt2gupE2r:c6GOmsT0yji2guz
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2160 Installapk.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation b32051f148d14ec759f5ff05e8baad7c9e97e3ee73aaade3b607496de37709bb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2160 Installapk.exe 2160 Installapk.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4752 wrote to memory of 2160 4752 b32051f148d14ec759f5ff05e8baad7c9e97e3ee73aaade3b607496de37709bb.exe 82 PID 4752 wrote to memory of 2160 4752 b32051f148d14ec759f5ff05e8baad7c9e97e3ee73aaade3b607496de37709bb.exe 82 PID 4752 wrote to memory of 2160 4752 b32051f148d14ec759f5ff05e8baad7c9e97e3ee73aaade3b607496de37709bb.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\b32051f148d14ec759f5ff05e8baad7c9e97e3ee73aaade3b607496de37709bb.exe"C:\Users\Admin\AppData\Local\Temp\b32051f148d14ec759f5ff05e8baad7c9e97e3ee73aaade3b607496de37709bb.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\ProgramData\wdgame\Installapk.exe"C:\ProgramData\wdgame\Installapk.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2160
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD58606ce3007385eb44192d1224eef7e11
SHA1eb8b48cad09c2d3aef6ad512592482c449847526
SHA256c1aad5940d5a044cc9dae9ee9087d664b07683228414f14b6963a71cd9947bca
SHA512146c856bdad9aa0503389cf5bf155277df584d9bc14041d05f845eb5f32cea1f6176c5700210509d903dab2a5229f8750fdd2590e650d9233c2efa2fb5c1ad7a
-
Filesize
2.6MB
MD58606ce3007385eb44192d1224eef7e11
SHA1eb8b48cad09c2d3aef6ad512592482c449847526
SHA256c1aad5940d5a044cc9dae9ee9087d664b07683228414f14b6963a71cd9947bca
SHA512146c856bdad9aa0503389cf5bf155277df584d9bc14041d05f845eb5f32cea1f6176c5700210509d903dab2a5229f8750fdd2590e650d9233c2efa2fb5c1ad7a
-
Filesize
231B
MD5b4c067fa5ce238cb34851b1e24d1ed22
SHA1b0f47a0e43feb2bd49c2787a1e64367ef36544bb
SHA25676e2b09d5111cbc1c7a294fe0cc29d51b66af17cd2703690e4bd66e9d524e86f
SHA512004f37752d03370c6a4c5d54452c15c941c992c975005078b8baafffc00809afe858b425030da70605ff8a9d850094f7435267eeda3aabf7c53781e70986bb7c