Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    314s
  • max time network
    444s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/11/2022, 02:03

General

  • Target

    38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe

  • Size

    460KB

  • MD5

    5ea129b89440008e1e26ec68000d041b

  • SHA1

    6e7203625e657415245e4344df8d2cf31fd66cf0

  • SHA256

    38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c

  • SHA512

    110c8caa5ed67705ec12b8bc764bc84455e5a14ae410ebac300eee21b29664c2c3ae188aca3a9d01aeb1bf64c300be19279d57b90102c00a3d5050dc1d2eb714

  • SSDEEP

    12288:OlSt6oIHNOhU5O5TYo4XqTig5GSR9CClDDL:OlSt69HNx6T/5xT

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe
    "C:\Users\Admin\AppData\Local\Temp\38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4420
    • C:\Users\Admin\iBdqphzke5.exe
      C:\Users\Admin\iBdqphzke5.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:668
    • C:\Users\Admin\astat.exe
      C:\Users\Admin\astat.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:824
      • C:\Users\Admin\astat.exe
        "C:\Users\Admin\astat.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2268
    • C:\Users\Admin\dstat.exe
      C:\Users\Admin\dstat.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3916

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\astat.exe

    Filesize

    60KB

    MD5

    87c6498966e3f85fac743c89050aa312

    SHA1

    05c165c34cbfa14e4925c33ace81992b0f50a2b5

    SHA256

    30c8328585e41968aff773da16cedbe590dcefd293c7fa74a69c557ecbf2c3c5

    SHA512

    740f7159ee78f73e57c92e583b8c4f97c5dd49b68b9c321da976d7e318819daa28e8dfc76e95e1e3ccee643dc464324c40b481d1849863e287d826adb577b420

  • C:\Users\Admin\astat.exe

    Filesize

    60KB

    MD5

    87c6498966e3f85fac743c89050aa312

    SHA1

    05c165c34cbfa14e4925c33ace81992b0f50a2b5

    SHA256

    30c8328585e41968aff773da16cedbe590dcefd293c7fa74a69c557ecbf2c3c5

    SHA512

    740f7159ee78f73e57c92e583b8c4f97c5dd49b68b9c321da976d7e318819daa28e8dfc76e95e1e3ccee643dc464324c40b481d1849863e287d826adb577b420

  • C:\Users\Admin\astat.exe

    Filesize

    60KB

    MD5

    87c6498966e3f85fac743c89050aa312

    SHA1

    05c165c34cbfa14e4925c33ace81992b0f50a2b5

    SHA256

    30c8328585e41968aff773da16cedbe590dcefd293c7fa74a69c557ecbf2c3c5

    SHA512

    740f7159ee78f73e57c92e583b8c4f97c5dd49b68b9c321da976d7e318819daa28e8dfc76e95e1e3ccee643dc464324c40b481d1849863e287d826adb577b420

  • C:\Users\Admin\dstat.exe

    Filesize

    36KB

    MD5

    b6da847084e39e0cecf175c32c91b4bb

    SHA1

    fbfd9494fabed5220cdf01866ff088fe7adc535b

    SHA256

    065781e8a55cf59cb926d5950e0039e19b50b1e081023404fbff4d7a32fc9cbe

    SHA512

    59d372ea36904cd48c99f2f34740c22004b35c5e5dada2417813b0463292af19e4aa5ba4552cc443da373e40ba03a1f7906019a567806806f5972c202a31d9d2

  • C:\Users\Admin\dstat.exe

    Filesize

    36KB

    MD5

    b6da847084e39e0cecf175c32c91b4bb

    SHA1

    fbfd9494fabed5220cdf01866ff088fe7adc535b

    SHA256

    065781e8a55cf59cb926d5950e0039e19b50b1e081023404fbff4d7a32fc9cbe

    SHA512

    59d372ea36904cd48c99f2f34740c22004b35c5e5dada2417813b0463292af19e4aa5ba4552cc443da373e40ba03a1f7906019a567806806f5972c202a31d9d2

  • C:\Users\Admin\iBdqphzke5.exe

    Filesize

    244KB

    MD5

    a4cdb62cf4866a17e742e7e9cc73d237

    SHA1

    30d94f8e872455ac569949ac4c768d0a0cdfbba7

    SHA256

    c741d649bf5b72fbe97470820ce994ce29b153baae14af10c3a2a9adc3098b32

    SHA512

    c4447f95565d3e5dc0ef7712382325280bedf127ac682f85f4043b586afb4188633f2c73277595eb31fe45d992107492f42c82a71f448286a9cb8fac4bfb3671

  • C:\Users\Admin\iBdqphzke5.exe

    Filesize

    244KB

    MD5

    a4cdb62cf4866a17e742e7e9cc73d237

    SHA1

    30d94f8e872455ac569949ac4c768d0a0cdfbba7

    SHA256

    c741d649bf5b72fbe97470820ce994ce29b153baae14af10c3a2a9adc3098b32

    SHA512

    c4447f95565d3e5dc0ef7712382325280bedf127ac682f85f4043b586afb4188633f2c73277595eb31fe45d992107492f42c82a71f448286a9cb8fac4bfb3671

  • memory/2268-149-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

  • memory/2268-150-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

  • memory/2268-148-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

  • memory/2268-145-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB