Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
90s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29/11/2022, 01:23
Static task
static1
Behavioral task
behavioral1
Sample
f5c2308a61ec4340c0c0acfa76d055219af805d511197a826531e6f7f0c0263d.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
f5c2308a61ec4340c0c0acfa76d055219af805d511197a826531e6f7f0c0263d.exe
Resource
win10v2004-20220812-en
General
-
Target
f5c2308a61ec4340c0c0acfa76d055219af805d511197a826531e6f7f0c0263d.exe
-
Size
4.2MB
-
MD5
4d7d8ac837650c855e1e8c7906947ef6
-
SHA1
a4dedd6894536f76bae99fa2c034a1be5015308c
-
SHA256
f5c2308a61ec4340c0c0acfa76d055219af805d511197a826531e6f7f0c0263d
-
SHA512
9674eed9e4efd647a644bf2520dbf8f7ef0b434b558f58a141553c1b0a279fe614cf3a9e21df5b3b3b32cc82c34db78c3cf7c89c0fe31839140a5f8e30c67ab7
-
SSDEEP
98304:ful+CxSktOO7BOBsGstsuGRZsi0/mh/ZMFidqll5UoL27wnvvMo+A:mlLx5F6sGstiyilwod4UoLyws+
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2276 uiso95pes.exe 2080 sof.exe 4496 uiso95pes.tmp -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation f5c2308a61ec4340c0c0acfa76d055219af805d511197a826531e6f7f0c0263d.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation sof.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3768 2080 WerFault.exe 80 -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2092 ipconfig.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2080 sof.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3340 wrote to memory of 2276 3340 f5c2308a61ec4340c0c0acfa76d055219af805d511197a826531e6f7f0c0263d.exe 79 PID 3340 wrote to memory of 2276 3340 f5c2308a61ec4340c0c0acfa76d055219af805d511197a826531e6f7f0c0263d.exe 79 PID 3340 wrote to memory of 2276 3340 f5c2308a61ec4340c0c0acfa76d055219af805d511197a826531e6f7f0c0263d.exe 79 PID 3340 wrote to memory of 2080 3340 f5c2308a61ec4340c0c0acfa76d055219af805d511197a826531e6f7f0c0263d.exe 80 PID 3340 wrote to memory of 2080 3340 f5c2308a61ec4340c0c0acfa76d055219af805d511197a826531e6f7f0c0263d.exe 80 PID 3340 wrote to memory of 2080 3340 f5c2308a61ec4340c0c0acfa76d055219af805d511197a826531e6f7f0c0263d.exe 80 PID 2276 wrote to memory of 4496 2276 uiso95pes.exe 81 PID 2276 wrote to memory of 4496 2276 uiso95pes.exe 81 PID 2276 wrote to memory of 4496 2276 uiso95pes.exe 81 PID 2080 wrote to memory of 2092 2080 sof.exe 82 PID 2080 wrote to memory of 2092 2080 sof.exe 82 PID 2080 wrote to memory of 2092 2080 sof.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5c2308a61ec4340c0c0acfa76d055219af805d511197a826531e6f7f0c0263d.exe"C:\Users\Admin\AppData\Local\Temp\f5c2308a61ec4340c0c0acfa76d055219af805d511197a826531e6f7f0c0263d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Users\Admin\AppData\Local\Temp\uiso95pes.exe"C:\Users\Admin\AppData\Local\Temp\uiso95pes.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\is-L8N29.tmp\uiso95pes.tmp"C:\Users\Admin\AppData\Local\Temp\is-L8N29.tmp\uiso95pes.tmp" /SL5="$80046,3553095,123904,C:\Users\Admin\AppData\Local\Temp\uiso95pes.exe"3⤵
- Executes dropped EXE
PID:4496
-
-
-
C:\Users\Admin\AppData\Local\Temp\sof.exe"C:\Users\Admin\AppData\Local\Temp\sof.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\System32\ipconfig.exe" /release3⤵
- Gathers network information
PID:2092
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 11923⤵
- Program crash
PID:3768
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2080 -ip 20801⤵PID:4808
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
755KB
MD52262d317a3ea3901675f5b5a8bc8d405
SHA1a91298e5024f4df91e9c93dc0816634157318282
SHA25643121ebd3bd259fd66e00a67c8c7dec7a3c2b6d2aa74b52e6a9ffbe96001ad88
SHA5125a4591ac400965f1c34d3f3f967999f5927f322c2ceac79732f9229b1ad371b49a3a905f343a9374197421bb9895c47056d2b142eedf3f96122eec02c12c3136
-
Filesize
755KB
MD52262d317a3ea3901675f5b5a8bc8d405
SHA1a91298e5024f4df91e9c93dc0816634157318282
SHA25643121ebd3bd259fd66e00a67c8c7dec7a3c2b6d2aa74b52e6a9ffbe96001ad88
SHA5125a4591ac400965f1c34d3f3f967999f5927f322c2ceac79732f9229b1ad371b49a3a905f343a9374197421bb9895c47056d2b142eedf3f96122eec02c12c3136
-
Filesize
524KB
MD5813e75848f38ee4d4d564beeed0e720d
SHA114e8113567eb158690aa84d60c0eb24f6ea7304f
SHA25693cfa338cba8a05fa74b32fa8688d4095d9c4d0356f0a29011ad871877638818
SHA512f277b00a1827051339d059575b83339b96228fac0908536d6be30d6e9b1cb47a6574408bac49e70b91b00ad937c9a67102caa05809a055bca2249503d85a9c8a
-
Filesize
524KB
MD5813e75848f38ee4d4d564beeed0e720d
SHA114e8113567eb158690aa84d60c0eb24f6ea7304f
SHA25693cfa338cba8a05fa74b32fa8688d4095d9c4d0356f0a29011ad871877638818
SHA512f277b00a1827051339d059575b83339b96228fac0908536d6be30d6e9b1cb47a6574408bac49e70b91b00ad937c9a67102caa05809a055bca2249503d85a9c8a
-
Filesize
3.8MB
MD5272e3a615f6e850e8d3c7821fab908a1
SHA1dce740201bdadbf97d7e07e6525f86d34b41cbf3
SHA2566da1790e67538fb1528ac6dfe92556fe28c5cdd87f3a8e1112c50bba6e7da6b2
SHA512216d4e3e1015ccf7665061b483b06eb83ef69b9b35d68cb396a5862f9d84da4f401b0bd2aff2b3c43b21de5e2a898f81cf02def68b5be254dd06c143d998a2c5
-
Filesize
3.8MB
MD5272e3a615f6e850e8d3c7821fab908a1
SHA1dce740201bdadbf97d7e07e6525f86d34b41cbf3
SHA2566da1790e67538fb1528ac6dfe92556fe28c5cdd87f3a8e1112c50bba6e7da6b2
SHA512216d4e3e1015ccf7665061b483b06eb83ef69b9b35d68cb396a5862f9d84da4f401b0bd2aff2b3c43b21de5e2a898f81cf02def68b5be254dd06c143d998a2c5