Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/11/2022, 02:43

General

  • Target

    8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d.exe

  • Size

    109KB

  • MD5

    2cc89125f41c7f0b43a2270bab95f59b

  • SHA1

    52872c01673f3de64f2abcb038bd2ad2f19c9b71

  • SHA256

    8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d

  • SHA512

    b7cbc407caf3a3ec10e73561c06daf1dd4af851d6e1c77d6fa7d6fab91c50bf3a3f1f7c10670d161c70ba5c84e9ac07ffd1263b298a9949c45321f22920a1dd9

  • SSDEEP

    1536:onX6P2JU6nCbtEDbPjg5shQ/G1VyZJAVY53rfL8iL/3p5PKtOPc6BVWFyVsG:HOJU6n+irC8VyZGVw7L8iLBYtIHUyVd

Score
8/10

Malware Config

Signatures

  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d.exe
    "C:\Users\Admin\AppData\Local\Temp\8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4868
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hy.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1028
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c hy.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3260
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32 hy.dll
          4⤵
          • Sets DLL path for service in the registry
          • Loads dropped DLL
          • Drops file in System32 directory
          PID:2216
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:2248
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist /svc
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:3196
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:3952
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /im regsvr32.exe /f
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:744
  • C:\Windows\SysWOW64\Svchost.exe
    C:\Windows\SysWOW64\Svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    PID:2888

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hy.bat

    Filesize

    144B

    MD5

    f36b3892cd11fe578eadf0d4e49ebd70

    SHA1

    e25898f1e58ecac39b050c6461e0e95dbf9eb70e

    SHA256

    a4868b4d6a8bc27c4a4aee08bd04749dc37bdf24c43f036d9fde99c9542ca9e7

    SHA512

    900a1d0daead103b03e14927caf915d27d0a2b73148a18e5adb635366bded86442d8cf618f65eda63eb8ff255750541ae155a01710c1ed62e1294449f81c1e43

  • C:\Users\Admin\AppData\Local\Temp\hy.dll

    Filesize

    63KB

    MD5

    dd61d349a7c099442135a102cbd342a4

    SHA1

    fb9d361235f1954abd1842971e6c3bbf6d8981e5

    SHA256

    86c9490bb84e0fdbf60cbd36eeda4390a810b0a92b3e33dac6679e27060a03c3

    SHA512

    54366ab8bafbe89bf58285f032a6ae84465731f6595d3a572271a3b6693c7204f39a1a10062df4f703f8292e2313fbad8cf933d7a280a4a67408c1290bce40cf

  • C:\Users\Admin\AppData\Local\Temp\hy.dll

    Filesize

    63KB

    MD5

    dd61d349a7c099442135a102cbd342a4

    SHA1

    fb9d361235f1954abd1842971e6c3bbf6d8981e5

    SHA256

    86c9490bb84e0fdbf60cbd36eeda4390a810b0a92b3e33dac6679e27060a03c3

    SHA512

    54366ab8bafbe89bf58285f032a6ae84465731f6595d3a572271a3b6693c7204f39a1a10062df4f703f8292e2313fbad8cf933d7a280a4a67408c1290bce40cf

  • C:\Users\Admin\AppData\Local\Temp\hy.vbs

    Filesize

    51B

    MD5

    b622ecd01880270e1625c337249ba7d3

    SHA1

    f1dad85b2dfa56d2b3ae507765ec96c56e51eb9c

    SHA256

    d6d1f72224e9db4edbdf2bc900a816d3fe6aa95a9f547a10216a78d6ea722588

    SHA512

    1a36d8781dc3fdf55b520ace190fe14b8787432b27ffc3b99104a40feb0abf1128c200e977ceb27cf31e9c80edac97eb28e5f11e935d839869b2a8b7550ffde0

  • C:\Windows\SysWOW64\softpus.dll

    Filesize

    63KB

    MD5

    dd61d349a7c099442135a102cbd342a4

    SHA1

    fb9d361235f1954abd1842971e6c3bbf6d8981e5

    SHA256

    86c9490bb84e0fdbf60cbd36eeda4390a810b0a92b3e33dac6679e27060a03c3

    SHA512

    54366ab8bafbe89bf58285f032a6ae84465731f6595d3a572271a3b6693c7204f39a1a10062df4f703f8292e2313fbad8cf933d7a280a4a67408c1290bce40cf

  • \??\c:\windows\SysWOW64\softpus.dll

    Filesize

    63KB

    MD5

    dd61d349a7c099442135a102cbd342a4

    SHA1

    fb9d361235f1954abd1842971e6c3bbf6d8981e5

    SHA256

    86c9490bb84e0fdbf60cbd36eeda4390a810b0a92b3e33dac6679e27060a03c3

    SHA512

    54366ab8bafbe89bf58285f032a6ae84465731f6595d3a572271a3b6693c7204f39a1a10062df4f703f8292e2313fbad8cf933d7a280a4a67408c1290bce40cf