Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2022, 18:09
Static task
static1
Behavioral task
behavioral1
Sample
d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe
Resource
win10v2004-20220812-en
General
-
Target
d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe
-
Size
478KB
-
MD5
f7e1a441315a80328596c03da48d1778
-
SHA1
892ec2afe8549bc85d323ce9cfef1e08873ae7a0
-
SHA256
d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30
-
SHA512
ee03790b38b8986739cfda71d4cd12fee0802ae13cb11aeb59c5bdbc249aa363e281014a3da8a2f36615c34f7d6559d82035dc3432145e01e354d64f75063ab4
-
SSDEEP
6144:0APTi7C55DbmAs2X/4UYPOHfDLmmhDOnzYMvDfDllEVMSjFd+v:7WK5/aq4UYPOugOnEADf7g
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4180 d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe 4224 d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\\Windows32\\Explorer.exe" d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Windows32\\Explorer.exe" d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe File opened for modification C:\Windows\assembly\Desktop.ini d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3172 set thread context of 2084 3172 d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe 80 PID 4180 set thread context of 4224 4180 d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe 85 -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe File created C:\Windows\assembly\Desktop.ini d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe File opened for modification C:\Windows\assembly\Desktop.ini d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 764 PING.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4224 d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3172 d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe Token: SeDebugPrivilege 2084 d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe Token: SeDebugPrivilege 4180 d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe Token: SeDebugPrivilege 4224 d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe Token: SeDebugPrivilege 4224 d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4224 d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 3172 wrote to memory of 2084 3172 d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe 80 PID 3172 wrote to memory of 2084 3172 d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe 80 PID 3172 wrote to memory of 2084 3172 d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe 80 PID 3172 wrote to memory of 2084 3172 d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe 80 PID 3172 wrote to memory of 2084 3172 d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe 80 PID 3172 wrote to memory of 2084 3172 d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe 80 PID 3172 wrote to memory of 2084 3172 d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe 80 PID 3172 wrote to memory of 2084 3172 d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe 80 PID 2084 wrote to memory of 4180 2084 d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe 81 PID 2084 wrote to memory of 4180 2084 d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe 81 PID 2084 wrote to memory of 4180 2084 d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe 81 PID 2084 wrote to memory of 4888 2084 d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe 82 PID 2084 wrote to memory of 4888 2084 d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe 82 PID 2084 wrote to memory of 4888 2084 d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe 82 PID 4888 wrote to memory of 764 4888 cmd.exe 84 PID 4888 wrote to memory of 764 4888 cmd.exe 84 PID 4888 wrote to memory of 764 4888 cmd.exe 84 PID 4180 wrote to memory of 4224 4180 d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe 85 PID 4180 wrote to memory of 4224 4180 d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe 85 PID 4180 wrote to memory of 4224 4180 d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe 85 PID 4180 wrote to memory of 4224 4180 d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe 85 PID 4180 wrote to memory of 4224 4180 d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe 85 PID 4180 wrote to memory of 4224 4180 d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe 85 PID 4180 wrote to memory of 4224 4180 d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe 85 PID 4180 wrote to memory of 4224 4180 d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe"C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe"C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe"2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe"C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe"C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4224
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10004⤵
- Runs ping.exe
PID:764
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe.log
Filesize224B
MD5c19eb8c8e7a40e6b987f9d2ee952996e
SHA16fc3049855bc9100643e162511673c6df0f28bfb
SHA256677e9e30350df17e2bc20fa9f7d730e9f7cc6e870d6520a345f5f7dc5b31f58a
SHA512860713b4a787c2189ed12a47d4b68b60ac00c7a253cae52dd4eb9276dacafeae3a81906b6d0742c8ecfdfaa255777c445beb7c2a532f3c677a9903237ac97596
-
C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe
Filesize478KB
MD5f7e1a441315a80328596c03da48d1778
SHA1892ec2afe8549bc85d323ce9cfef1e08873ae7a0
SHA256d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30
SHA512ee03790b38b8986739cfda71d4cd12fee0802ae13cb11aeb59c5bdbc249aa363e281014a3da8a2f36615c34f7d6559d82035dc3432145e01e354d64f75063ab4
-
C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe
Filesize478KB
MD5f7e1a441315a80328596c03da48d1778
SHA1892ec2afe8549bc85d323ce9cfef1e08873ae7a0
SHA256d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30
SHA512ee03790b38b8986739cfda71d4cd12fee0802ae13cb11aeb59c5bdbc249aa363e281014a3da8a2f36615c34f7d6559d82035dc3432145e01e354d64f75063ab4
-
C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe
Filesize478KB
MD5f7e1a441315a80328596c03da48d1778
SHA1892ec2afe8549bc85d323ce9cfef1e08873ae7a0
SHA256d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30
SHA512ee03790b38b8986739cfda71d4cd12fee0802ae13cb11aeb59c5bdbc249aa363e281014a3da8a2f36615c34f7d6559d82035dc3432145e01e354d64f75063ab4