Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    167s
  • max time network
    186s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2022, 11:19

General

  • Target

    addaf659dde6e480b982b66999398d52c1bf2dbf751c1ec9280bf98cff615304.exe

  • Size

    183KB

  • MD5

    cb2d856dc72bb7e528dba68f19e8fdca

  • SHA1

    39a48d86e280a65d35bec591776816358b8372e3

  • SHA256

    addaf659dde6e480b982b66999398d52c1bf2dbf751c1ec9280bf98cff615304

  • SHA512

    476009a3a16183a47aa0e02d8fcfea357693f3e67657ebd9f8a5781c054accf02b937555c84a5539f9702a3a81ae48d6a27283dad0790afaa90e90623180bf27

  • SSDEEP

    3072:q/SpcwdFVhNPN1e68NpDUdI9BTX/EOWm1LUABC/74n8snQXkoemxhCh8llgQWZR:q/0FVhNPNMrUITTvosLUAg8n8MQz/cGG

Score
10/10

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\addaf659dde6e480b982b66999398d52c1bf2dbf751c1ec9280bf98cff615304.exe
    "C:\Users\Admin\AppData\Local\Temp\addaf659dde6e480b982b66999398d52c1bf2dbf751c1ec9280bf98cff615304.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4424
    • C:\Program Files\WinPcap\PPStream.exe
      "C:\Program Files\WinPcap\PPStream.exe"
      2⤵
      • Modifies system executable filetype association
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3596

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\WinPcap\PPStream.exe

    Filesize

    6.6MB

    MD5

    708f12015aae0abf73ab11f8ffc2a739

    SHA1

    534f3c411937ebe6f135a6ab3b100d9f6c283a0a

    SHA256

    0f5093286ca1048a6d13f277c11c23a37dbb494aaa8ca190fd27f80c4c14c881

    SHA512

    efbc5c6357609c95d373a1e53bd52a2fbee867fd3cd7e137396edb3bf1a3bf84a14801543d681446526d7cb3f7887f7b9d7494799e855153314fb16307b92ac2

  • C:\Program Files\WinPcap\PPStream.exe

    Filesize

    6.6MB

    MD5

    708f12015aae0abf73ab11f8ffc2a739

    SHA1

    534f3c411937ebe6f135a6ab3b100d9f6c283a0a

    SHA256

    0f5093286ca1048a6d13f277c11c23a37dbb494aaa8ca190fd27f80c4c14c881

    SHA512

    efbc5c6357609c95d373a1e53bd52a2fbee867fd3cd7e137396edb3bf1a3bf84a14801543d681446526d7cb3f7887f7b9d7494799e855153314fb16307b92ac2

  • memory/3596-138-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/3596-139-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/4424-132-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/4424-133-0x00000000021C0000-0x00000000021C3000-memory.dmp

    Filesize

    12KB

  • memory/4424-137-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB