Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
159s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28/11/2022, 18:01
Static task
static1
Behavioral task
behavioral1
Sample
21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc.exe
Resource
win10v2004-20221111-en
General
-
Target
21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc.exe
-
Size
273KB
-
MD5
35a515d816785d3ce2f59eb206133c06
-
SHA1
a4ef3f64a17dc8abfb583e47f281cae2b6a443de
-
SHA256
21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc
-
SHA512
698a3187670728d5285428dd9ef803feebcdc75a0d46e631ae821de9e158256657854b1e734edb9cfb8e5e2945d6f48000248d0dd2228c2c536aefb3d11472c9
-
SSDEEP
6144:8IiW4AcPkGRLlcbFExG4X+0fg1G34WmUctlR0kD:4AcPdRuy+zVWHISkD
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1564 21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "\\Java\\Java.exe" 21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\Java\\Java.exe" 21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini 21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc.exe File opened for modification C:\Windows\assembly\Desktop.ini 21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly 21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc.exe File created C:\Windows\assembly\Desktop.ini 21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc.exe File opened for modification C:\Windows\assembly\Desktop.ini 21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2452 PING.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1564 21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4808 21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc.exe Token: SeDebugPrivilege 1564 21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc.exe Token: SeDebugPrivilege 1564 21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1564 21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4808 wrote to memory of 1564 4808 21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc.exe 86 PID 4808 wrote to memory of 1564 4808 21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc.exe 86 PID 4808 wrote to memory of 1564 4808 21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc.exe 86 PID 4808 wrote to memory of 5104 4808 21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc.exe 87 PID 4808 wrote to memory of 5104 4808 21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc.exe 87 PID 4808 wrote to memory of 5104 4808 21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc.exe 87 PID 5104 wrote to memory of 2452 5104 cmd.exe 89 PID 5104 wrote to memory of 2452 5104 cmd.exe 89 PID 5104 wrote to memory of 2452 5104 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc.exe"C:\Users\Admin\AppData\Local\Temp\21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc\21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc.exe"C:\Users\Admin\AppData\Local\Temp\21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc\21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1564
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- Runs ping.exe
PID:2452
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc\21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc.exe
Filesize273KB
MD535a515d816785d3ce2f59eb206133c06
SHA1a4ef3f64a17dc8abfb583e47f281cae2b6a443de
SHA25621a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc
SHA512698a3187670728d5285428dd9ef803feebcdc75a0d46e631ae821de9e158256657854b1e734edb9cfb8e5e2945d6f48000248d0dd2228c2c536aefb3d11472c9
-
C:\Users\Admin\AppData\Local\Temp\21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc\21a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc.exe
Filesize273KB
MD535a515d816785d3ce2f59eb206133c06
SHA1a4ef3f64a17dc8abfb583e47f281cae2b6a443de
SHA25621a1f5a0a478d0ef16c47210137bdcbf8e94cc200c88c9b69f17e075237043fc
SHA512698a3187670728d5285428dd9ef803feebcdc75a0d46e631ae821de9e158256657854b1e734edb9cfb8e5e2945d6f48000248d0dd2228c2c536aefb3d11472c9