Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
190s -
max time network
237s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2022, 13:04
Static task
static1
Behavioral task
behavioral1
Sample
c1c9cbfea0423118c876a59d4f6368449af98c520bbfa86c45b2d381db58542e.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
c1c9cbfea0423118c876a59d4f6368449af98c520bbfa86c45b2d381db58542e.exe
Resource
win10v2004-20221111-en
General
-
Target
c1c9cbfea0423118c876a59d4f6368449af98c520bbfa86c45b2d381db58542e.exe
-
Size
395KB
-
MD5
64ae49b76e77e91648702ec307366574
-
SHA1
c3caacaa85a4e1264055b7b58e51942035c1b63d
-
SHA256
c1c9cbfea0423118c876a59d4f6368449af98c520bbfa86c45b2d381db58542e
-
SHA512
7d72c6ebe3899b25ab4da8b48799ff8fb6d9061b758064ea6179973153d9c759fc35808901a23c8d05e102ec0e903c34f5339737ee9e75587ee50694c019f39b
-
SSDEEP
3072:uI3YNRJObPbVvz6LCntoiZQQFKAYiVWMHbzJLTpOegl9DywuINy6TKzm9E2Gktg1:5aRJObALCntHQQ0D2uFOfL36
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1556 fac.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 664 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation c1c9cbfea0423118c876a59d4f6368449af98c520bbfa86c45b2d381db58542e.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b37339a5d0012a54f56c15061b561449.exe fac.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b37339a5d0012a54f56c15061b561449.exe fac.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b37339a5d0012a54f56c15061b561449 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\fac.exe\" .." fac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b37339a5d0012a54f56c15061b561449 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\fac.exe\" .." fac.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 1556 fac.exe 1556 fac.exe 1556 fac.exe 1556 fac.exe 1556 fac.exe 1556 fac.exe 1556 fac.exe 1556 fac.exe 1556 fac.exe 1556 fac.exe 1556 fac.exe 1556 fac.exe 1556 fac.exe 1556 fac.exe 1556 fac.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1556 fac.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2476 wrote to memory of 1556 2476 c1c9cbfea0423118c876a59d4f6368449af98c520bbfa86c45b2d381db58542e.exe 83 PID 2476 wrote to memory of 1556 2476 c1c9cbfea0423118c876a59d4f6368449af98c520bbfa86c45b2d381db58542e.exe 83 PID 2476 wrote to memory of 1556 2476 c1c9cbfea0423118c876a59d4f6368449af98c520bbfa86c45b2d381db58542e.exe 83 PID 1556 wrote to memory of 664 1556 fac.exe 84 PID 1556 wrote to memory of 664 1556 fac.exe 84 PID 1556 wrote to memory of 664 1556 fac.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1c9cbfea0423118c876a59d4f6368449af98c520bbfa86c45b2d381db58542e.exe"C:\Users\Admin\AppData\Local\Temp\c1c9cbfea0423118c876a59d4f6368449af98c520bbfa86c45b2d381db58542e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Users\Admin\AppData\Local\Temp\fac.exe"C:\Users\Admin\AppData\Local\Temp\fac.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\fac.exe" "fac.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:664
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
395KB
MD564ae49b76e77e91648702ec307366574
SHA1c3caacaa85a4e1264055b7b58e51942035c1b63d
SHA256c1c9cbfea0423118c876a59d4f6368449af98c520bbfa86c45b2d381db58542e
SHA5127d72c6ebe3899b25ab4da8b48799ff8fb6d9061b758064ea6179973153d9c759fc35808901a23c8d05e102ec0e903c34f5339737ee9e75587ee50694c019f39b
-
Filesize
395KB
MD564ae49b76e77e91648702ec307366574
SHA1c3caacaa85a4e1264055b7b58e51942035c1b63d
SHA256c1c9cbfea0423118c876a59d4f6368449af98c520bbfa86c45b2d381db58542e
SHA5127d72c6ebe3899b25ab4da8b48799ff8fb6d9061b758064ea6179973153d9c759fc35808901a23c8d05e102ec0e903c34f5339737ee9e75587ee50694c019f39b