Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
314s -
max time network
382s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29/11/2022, 14:30
Behavioral task
behavioral1
Sample
859e551058a3035f32e79adf5d217aca6df23cdec4b7498bff491a1d351626a4.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
859e551058a3035f32e79adf5d217aca6df23cdec4b7498bff491a1d351626a4.exe
Resource
win10v2004-20221111-en
General
-
Target
859e551058a3035f32e79adf5d217aca6df23cdec4b7498bff491a1d351626a4.exe
-
Size
691KB
-
MD5
cc46071bd7293fd5872d09c3891d92b8
-
SHA1
6250ed4be651746a52a7ccdda6d47ab20db4128e
-
SHA256
859e551058a3035f32e79adf5d217aca6df23cdec4b7498bff491a1d351626a4
-
SHA512
ae5736f5435a140827d1e1448e9241c2f50527ab1522b49036a2012f2e669a6708c723d9d789b5bf1d73ff2c9a7d3e7c88ba888dde04b495f53e8d96cab66376
-
SSDEEP
1536:LbnRuEbswtfKxehJN/Ba6gZblpuiv0SvaxyXaCbZZC4+06gjIrCTRknanwujxsfS:LbnRuEYcg+mliy5bdH6MI2TqnOY
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1088 winlogon.exe 3604 winlogon.exe 3388 winlogon.exe -
resource yara_rule behavioral2/memory/4560-132-0x0000000000E20000-0x0000000000E5B000-memory.dmp upx behavioral2/memory/4580-135-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/4560-137-0x0000000000E20000-0x0000000000E5B000-memory.dmp upx behavioral2/memory/4580-138-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/4580-139-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/4580-142-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/4580-143-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/files/0x0008000000022e0c-145.dat upx behavioral2/files/0x0008000000022e0c-146.dat upx behavioral2/memory/4580-149-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/files/0x0008000000022e0c-151.dat upx behavioral2/memory/1088-153-0x00000000004D0000-0x000000000050B000-memory.dmp upx behavioral2/memory/3604-154-0x00000000004D0000-0x000000000050B000-memory.dmp upx behavioral2/memory/3604-159-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/3388-161-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral2/files/0x0008000000022e0c-162.dat upx behavioral2/memory/3388-164-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral2/memory/3388-165-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral2/memory/3388-168-0x0000000000400000-0x0000000000443000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation 859e551058a3035f32e79adf5d217aca6df23cdec4b7498bff491a1d351626a4.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4560 set thread context of 4580 4560 859e551058a3035f32e79adf5d217aca6df23cdec4b7498bff491a1d351626a4.exe 82 PID 1088 set thread context of 3604 1088 winlogon.exe 87 PID 3604 set thread context of 3388 3604 winlogon.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4580 859e551058a3035f32e79adf5d217aca6df23cdec4b7498bff491a1d351626a4.exe 3604 winlogon.exe 3388 winlogon.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 4560 wrote to memory of 3488 4560 859e551058a3035f32e79adf5d217aca6df23cdec4b7498bff491a1d351626a4.exe 81 PID 4560 wrote to memory of 3488 4560 859e551058a3035f32e79adf5d217aca6df23cdec4b7498bff491a1d351626a4.exe 81 PID 4560 wrote to memory of 3488 4560 859e551058a3035f32e79adf5d217aca6df23cdec4b7498bff491a1d351626a4.exe 81 PID 4560 wrote to memory of 4580 4560 859e551058a3035f32e79adf5d217aca6df23cdec4b7498bff491a1d351626a4.exe 82 PID 4560 wrote to memory of 4580 4560 859e551058a3035f32e79adf5d217aca6df23cdec4b7498bff491a1d351626a4.exe 82 PID 4560 wrote to memory of 4580 4560 859e551058a3035f32e79adf5d217aca6df23cdec4b7498bff491a1d351626a4.exe 82 PID 4560 wrote to memory of 4580 4560 859e551058a3035f32e79adf5d217aca6df23cdec4b7498bff491a1d351626a4.exe 82 PID 4560 wrote to memory of 4580 4560 859e551058a3035f32e79adf5d217aca6df23cdec4b7498bff491a1d351626a4.exe 82 PID 4560 wrote to memory of 4580 4560 859e551058a3035f32e79adf5d217aca6df23cdec4b7498bff491a1d351626a4.exe 82 PID 4560 wrote to memory of 4580 4560 859e551058a3035f32e79adf5d217aca6df23cdec4b7498bff491a1d351626a4.exe 82 PID 4560 wrote to memory of 4580 4560 859e551058a3035f32e79adf5d217aca6df23cdec4b7498bff491a1d351626a4.exe 82 PID 4580 wrote to memory of 1088 4580 859e551058a3035f32e79adf5d217aca6df23cdec4b7498bff491a1d351626a4.exe 85 PID 4580 wrote to memory of 1088 4580 859e551058a3035f32e79adf5d217aca6df23cdec4b7498bff491a1d351626a4.exe 85 PID 4580 wrote to memory of 1088 4580 859e551058a3035f32e79adf5d217aca6df23cdec4b7498bff491a1d351626a4.exe 85 PID 1088 wrote to memory of 1836 1088 winlogon.exe 86 PID 1088 wrote to memory of 1836 1088 winlogon.exe 86 PID 1088 wrote to memory of 1836 1088 winlogon.exe 86 PID 1088 wrote to memory of 3604 1088 winlogon.exe 87 PID 1088 wrote to memory of 3604 1088 winlogon.exe 87 PID 1088 wrote to memory of 3604 1088 winlogon.exe 87 PID 1088 wrote to memory of 3604 1088 winlogon.exe 87 PID 1088 wrote to memory of 3604 1088 winlogon.exe 87 PID 1088 wrote to memory of 3604 1088 winlogon.exe 87 PID 1088 wrote to memory of 3604 1088 winlogon.exe 87 PID 1088 wrote to memory of 3604 1088 winlogon.exe 87 PID 3604 wrote to memory of 3388 3604 winlogon.exe 88 PID 3604 wrote to memory of 3388 3604 winlogon.exe 88 PID 3604 wrote to memory of 3388 3604 winlogon.exe 88 PID 3604 wrote to memory of 3388 3604 winlogon.exe 88 PID 3604 wrote to memory of 3388 3604 winlogon.exe 88 PID 3604 wrote to memory of 3388 3604 winlogon.exe 88 PID 3604 wrote to memory of 3388 3604 winlogon.exe 88 PID 3604 wrote to memory of 3388 3604 winlogon.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\859e551058a3035f32e79adf5d217aca6df23cdec4b7498bff491a1d351626a4.exe"C:\Users\Admin\AppData\Local\Temp\859e551058a3035f32e79adf5d217aca6df23cdec4b7498bff491a1d351626a4.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:3488
-
-
C:\Users\Admin\AppData\Local\Temp\859e551058a3035f32e79adf5d217aca6df23cdec4b7498bff491a1d351626a4.exe
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵PID:1836
-
-
C:\Users\Admin\E696D64614\winlogon.exe
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3388
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
691KB
MD5cc46071bd7293fd5872d09c3891d92b8
SHA16250ed4be651746a52a7ccdda6d47ab20db4128e
SHA256859e551058a3035f32e79adf5d217aca6df23cdec4b7498bff491a1d351626a4
SHA512ae5736f5435a140827d1e1448e9241c2f50527ab1522b49036a2012f2e669a6708c723d9d789b5bf1d73ff2c9a7d3e7c88ba888dde04b495f53e8d96cab66376
-
Filesize
691KB
MD5cc46071bd7293fd5872d09c3891d92b8
SHA16250ed4be651746a52a7ccdda6d47ab20db4128e
SHA256859e551058a3035f32e79adf5d217aca6df23cdec4b7498bff491a1d351626a4
SHA512ae5736f5435a140827d1e1448e9241c2f50527ab1522b49036a2012f2e669a6708c723d9d789b5bf1d73ff2c9a7d3e7c88ba888dde04b495f53e8d96cab66376
-
Filesize
691KB
MD5cc46071bd7293fd5872d09c3891d92b8
SHA16250ed4be651746a52a7ccdda6d47ab20db4128e
SHA256859e551058a3035f32e79adf5d217aca6df23cdec4b7498bff491a1d351626a4
SHA512ae5736f5435a140827d1e1448e9241c2f50527ab1522b49036a2012f2e669a6708c723d9d789b5bf1d73ff2c9a7d3e7c88ba888dde04b495f53e8d96cab66376
-
Filesize
691KB
MD5cc46071bd7293fd5872d09c3891d92b8
SHA16250ed4be651746a52a7ccdda6d47ab20db4128e
SHA256859e551058a3035f32e79adf5d217aca6df23cdec4b7498bff491a1d351626a4
SHA512ae5736f5435a140827d1e1448e9241c2f50527ab1522b49036a2012f2e669a6708c723d9d789b5bf1d73ff2c9a7d3e7c88ba888dde04b495f53e8d96cab66376