Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
314s -
max time network
444s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28/11/2022, 02:03
Static task
static1
Behavioral task
behavioral1
Sample
38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe
Resource
win10v2004-20221111-en
General
-
Target
38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe
-
Size
460KB
-
MD5
5ea129b89440008e1e26ec68000d041b
-
SHA1
6e7203625e657415245e4344df8d2cf31fd66cf0
-
SHA256
38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c
-
SHA512
110c8caa5ed67705ec12b8bc764bc84455e5a14ae410ebac300eee21b29664c2c3ae188aca3a9d01aeb1bf64c300be19279d57b90102c00a3d5050dc1d2eb714
-
SSDEEP
12288:OlSt6oIHNOhU5O5TYo4XqTig5GSR9CClDDL:OlSt69HNx6T/5xT
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 668 iBdqphzke5.exe 824 astat.exe 2268 astat.exe 3916 dstat.exe -
resource yara_rule behavioral2/memory/2268-145-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/2268-148-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/2268-149-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/2268-150-0x0000000000400000-0x000000000040E000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 824 set thread context of 2268 824 astat.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2268 astat.exe 2268 astat.exe 668 iBdqphzke5.exe 668 iBdqphzke5.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe 2268 astat.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4420 38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe 668 iBdqphzke5.exe 824 astat.exe 3916 dstat.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4420 wrote to memory of 668 4420 38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe 80 PID 4420 wrote to memory of 668 4420 38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe 80 PID 4420 wrote to memory of 668 4420 38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe 80 PID 4420 wrote to memory of 824 4420 38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe 83 PID 4420 wrote to memory of 824 4420 38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe 83 PID 4420 wrote to memory of 824 4420 38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe 83 PID 824 wrote to memory of 2268 824 astat.exe 84 PID 824 wrote to memory of 2268 824 astat.exe 84 PID 824 wrote to memory of 2268 824 astat.exe 84 PID 824 wrote to memory of 2268 824 astat.exe 84 PID 824 wrote to memory of 2268 824 astat.exe 84 PID 824 wrote to memory of 2268 824 astat.exe 84 PID 824 wrote to memory of 2268 824 astat.exe 84 PID 824 wrote to memory of 2268 824 astat.exe 84 PID 4420 wrote to memory of 3916 4420 38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe 85 PID 4420 wrote to memory of 3916 4420 38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe 85 PID 4420 wrote to memory of 3916 4420 38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe"C:\Users\Admin\AppData\Local\Temp\38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Users\Admin\iBdqphzke5.exeC:\Users\Admin\iBdqphzke5.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:668
-
-
C:\Users\Admin\astat.exeC:\Users\Admin\astat.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Users\Admin\astat.exe"C:\Users\Admin\astat.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2268
-
-
-
C:\Users\Admin\dstat.exeC:\Users\Admin\dstat.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3916
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD587c6498966e3f85fac743c89050aa312
SHA105c165c34cbfa14e4925c33ace81992b0f50a2b5
SHA25630c8328585e41968aff773da16cedbe590dcefd293c7fa74a69c557ecbf2c3c5
SHA512740f7159ee78f73e57c92e583b8c4f97c5dd49b68b9c321da976d7e318819daa28e8dfc76e95e1e3ccee643dc464324c40b481d1849863e287d826adb577b420
-
Filesize
60KB
MD587c6498966e3f85fac743c89050aa312
SHA105c165c34cbfa14e4925c33ace81992b0f50a2b5
SHA25630c8328585e41968aff773da16cedbe590dcefd293c7fa74a69c557ecbf2c3c5
SHA512740f7159ee78f73e57c92e583b8c4f97c5dd49b68b9c321da976d7e318819daa28e8dfc76e95e1e3ccee643dc464324c40b481d1849863e287d826adb577b420
-
Filesize
60KB
MD587c6498966e3f85fac743c89050aa312
SHA105c165c34cbfa14e4925c33ace81992b0f50a2b5
SHA25630c8328585e41968aff773da16cedbe590dcefd293c7fa74a69c557ecbf2c3c5
SHA512740f7159ee78f73e57c92e583b8c4f97c5dd49b68b9c321da976d7e318819daa28e8dfc76e95e1e3ccee643dc464324c40b481d1849863e287d826adb577b420
-
Filesize
36KB
MD5b6da847084e39e0cecf175c32c91b4bb
SHA1fbfd9494fabed5220cdf01866ff088fe7adc535b
SHA256065781e8a55cf59cb926d5950e0039e19b50b1e081023404fbff4d7a32fc9cbe
SHA51259d372ea36904cd48c99f2f34740c22004b35c5e5dada2417813b0463292af19e4aa5ba4552cc443da373e40ba03a1f7906019a567806806f5972c202a31d9d2
-
Filesize
36KB
MD5b6da847084e39e0cecf175c32c91b4bb
SHA1fbfd9494fabed5220cdf01866ff088fe7adc535b
SHA256065781e8a55cf59cb926d5950e0039e19b50b1e081023404fbff4d7a32fc9cbe
SHA51259d372ea36904cd48c99f2f34740c22004b35c5e5dada2417813b0463292af19e4aa5ba4552cc443da373e40ba03a1f7906019a567806806f5972c202a31d9d2
-
Filesize
244KB
MD5a4cdb62cf4866a17e742e7e9cc73d237
SHA130d94f8e872455ac569949ac4c768d0a0cdfbba7
SHA256c741d649bf5b72fbe97470820ce994ce29b153baae14af10c3a2a9adc3098b32
SHA512c4447f95565d3e5dc0ef7712382325280bedf127ac682f85f4043b586afb4188633f2c73277595eb31fe45d992107492f42c82a71f448286a9cb8fac4bfb3671
-
Filesize
244KB
MD5a4cdb62cf4866a17e742e7e9cc73d237
SHA130d94f8e872455ac569949ac4c768d0a0cdfbba7
SHA256c741d649bf5b72fbe97470820ce994ce29b153baae14af10c3a2a9adc3098b32
SHA512c4447f95565d3e5dc0ef7712382325280bedf127ac682f85f4043b586afb4188633f2c73277595eb31fe45d992107492f42c82a71f448286a9cb8fac4bfb3671