Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    90s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2022, 01:23

General

  • Target

    f5c2308a61ec4340c0c0acfa76d055219af805d511197a826531e6f7f0c0263d.exe

  • Size

    4.2MB

  • MD5

    4d7d8ac837650c855e1e8c7906947ef6

  • SHA1

    a4dedd6894536f76bae99fa2c034a1be5015308c

  • SHA256

    f5c2308a61ec4340c0c0acfa76d055219af805d511197a826531e6f7f0c0263d

  • SHA512

    9674eed9e4efd647a644bf2520dbf8f7ef0b434b558f58a141553c1b0a279fe614cf3a9e21df5b3b3b32cc82c34db78c3cf7c89c0fe31839140a5f8e30c67ab7

  • SSDEEP

    98304:ful+CxSktOO7BOBsGstsuGRZsi0/mh/ZMFidqll5UoL27wnvvMo+A:mlLx5F6sGstiyilwod4UoLyws+

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5c2308a61ec4340c0c0acfa76d055219af805d511197a826531e6f7f0c0263d.exe
    "C:\Users\Admin\AppData\Local\Temp\f5c2308a61ec4340c0c0acfa76d055219af805d511197a826531e6f7f0c0263d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3340
    • C:\Users\Admin\AppData\Local\Temp\uiso95pes.exe
      "C:\Users\Admin\AppData\Local\Temp\uiso95pes.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2276
      • C:\Users\Admin\AppData\Local\Temp\is-L8N29.tmp\uiso95pes.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-L8N29.tmp\uiso95pes.tmp" /SL5="$80046,3553095,123904,C:\Users\Admin\AppData\Local\Temp\uiso95pes.exe"
        3⤵
        • Executes dropped EXE
        PID:4496
    • C:\Users\Admin\AppData\Local\Temp\sof.exe
      "C:\Users\Admin\AppData\Local\Temp\sof.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2080
      • C:\Windows\SysWOW64\ipconfig.exe
        "C:\Windows\System32\ipconfig.exe" /release
        3⤵
        • Gathers network information
        PID:2092
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 1192
        3⤵
        • Program crash
        PID:3768
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2080 -ip 2080
    1⤵
      PID:4808

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\is-L8N29.tmp\uiso95pes.tmp

      Filesize

      755KB

      MD5

      2262d317a3ea3901675f5b5a8bc8d405

      SHA1

      a91298e5024f4df91e9c93dc0816634157318282

      SHA256

      43121ebd3bd259fd66e00a67c8c7dec7a3c2b6d2aa74b52e6a9ffbe96001ad88

      SHA512

      5a4591ac400965f1c34d3f3f967999f5927f322c2ceac79732f9229b1ad371b49a3a905f343a9374197421bb9895c47056d2b142eedf3f96122eec02c12c3136

    • C:\Users\Admin\AppData\Local\Temp\is-L8N29.tmp\uiso95pes.tmp

      Filesize

      755KB

      MD5

      2262d317a3ea3901675f5b5a8bc8d405

      SHA1

      a91298e5024f4df91e9c93dc0816634157318282

      SHA256

      43121ebd3bd259fd66e00a67c8c7dec7a3c2b6d2aa74b52e6a9ffbe96001ad88

      SHA512

      5a4591ac400965f1c34d3f3f967999f5927f322c2ceac79732f9229b1ad371b49a3a905f343a9374197421bb9895c47056d2b142eedf3f96122eec02c12c3136

    • C:\Users\Admin\AppData\Local\Temp\sof.exe

      Filesize

      524KB

      MD5

      813e75848f38ee4d4d564beeed0e720d

      SHA1

      14e8113567eb158690aa84d60c0eb24f6ea7304f

      SHA256

      93cfa338cba8a05fa74b32fa8688d4095d9c4d0356f0a29011ad871877638818

      SHA512

      f277b00a1827051339d059575b83339b96228fac0908536d6be30d6e9b1cb47a6574408bac49e70b91b00ad937c9a67102caa05809a055bca2249503d85a9c8a

    • C:\Users\Admin\AppData\Local\Temp\sof.exe

      Filesize

      524KB

      MD5

      813e75848f38ee4d4d564beeed0e720d

      SHA1

      14e8113567eb158690aa84d60c0eb24f6ea7304f

      SHA256

      93cfa338cba8a05fa74b32fa8688d4095d9c4d0356f0a29011ad871877638818

      SHA512

      f277b00a1827051339d059575b83339b96228fac0908536d6be30d6e9b1cb47a6574408bac49e70b91b00ad937c9a67102caa05809a055bca2249503d85a9c8a

    • C:\Users\Admin\AppData\Local\Temp\uiso95pes.exe

      Filesize

      3.8MB

      MD5

      272e3a615f6e850e8d3c7821fab908a1

      SHA1

      dce740201bdadbf97d7e07e6525f86d34b41cbf3

      SHA256

      6da1790e67538fb1528ac6dfe92556fe28c5cdd87f3a8e1112c50bba6e7da6b2

      SHA512

      216d4e3e1015ccf7665061b483b06eb83ef69b9b35d68cb396a5862f9d84da4f401b0bd2aff2b3c43b21de5e2a898f81cf02def68b5be254dd06c143d998a2c5

    • C:\Users\Admin\AppData\Local\Temp\uiso95pes.exe

      Filesize

      3.8MB

      MD5

      272e3a615f6e850e8d3c7821fab908a1

      SHA1

      dce740201bdadbf97d7e07e6525f86d34b41cbf3

      SHA256

      6da1790e67538fb1528ac6dfe92556fe28c5cdd87f3a8e1112c50bba6e7da6b2

      SHA512

      216d4e3e1015ccf7665061b483b06eb83ef69b9b35d68cb396a5862f9d84da4f401b0bd2aff2b3c43b21de5e2a898f81cf02def68b5be254dd06c143d998a2c5

    • memory/2276-139-0x0000000000400000-0x0000000000425000-memory.dmp

      Filesize

      148KB

    • memory/2276-145-0x0000000000400000-0x0000000000425000-memory.dmp

      Filesize

      148KB

    • memory/2276-147-0x0000000000400000-0x0000000000425000-memory.dmp

      Filesize

      148KB