Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    312s
  • max time network
    335s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2022, 17:17

General

  • Target

    fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add.exe

  • Size

    82KB

  • MD5

    ae033e0a65c0faabeb3d35ec072d2961

  • SHA1

    a6160f176a5f2bfee83a5f24b1e8dbc2c754392f

  • SHA256

    fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add

  • SHA512

    d47ece53e340e937ceb088477d653fd44fb47a6c952dc025b4b78ed939e210265b3a8b23ecccc68236355498c9aea6e38aa65a2791a9cf72f42abb4163483f19

  • SSDEEP

    1536:6mi+xxdgF45E4h2Hnq8OFnouy8CBZVDYTwtaRdoYVJ42+Jy/:6mi+/dgy5Ef8doutaZZYCajVJ4VJy/

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add.exe
    "C:\Users\Admin\AppData\Local\Temp\fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5112
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\Temp\_$Cf\fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add .doc" /o ""
      2⤵
        PID:4848
      • C:\Windows\Temp\_$Cf\osk.exe
        "C:\Windows\Temp\_$Cf\osk.exe"
        2⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1820
        • C:\Windows\SysWOW64\WINWORD.EXE
          "C:\Windows\system32\WINWORD.EXE"
          3⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2316
          • C:\Windows\SysWOW64\WINWORD.EXE
            "C:\Windows\system32\WINWORD.EXE"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1776

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Com\ctfmoon.exe

      Filesize

      74KB

      MD5

      862a96836fe55f230039047fc1897b6f

      SHA1

      56a56c039d90714cefe7d2e7bb02e13c2b04764c

      SHA256

      0044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21

      SHA512

      d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574

    • C:\Windows\SysWOW64\WINWORD.EXE

      Filesize

      74KB

      MD5

      862a96836fe55f230039047fc1897b6f

      SHA1

      56a56c039d90714cefe7d2e7bb02e13c2b04764c

      SHA256

      0044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21

      SHA512

      d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574

    • C:\Windows\SysWOW64\WINWORD.EXE

      Filesize

      74KB

      MD5

      862a96836fe55f230039047fc1897b6f

      SHA1

      56a56c039d90714cefe7d2e7bb02e13c2b04764c

      SHA256

      0044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21

      SHA512

      d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574

    • C:\Windows\SysWOW64\WINWORD.EXE

      Filesize

      74KB

      MD5

      862a96836fe55f230039047fc1897b6f

      SHA1

      56a56c039d90714cefe7d2e7bb02e13c2b04764c

      SHA256

      0044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21

      SHA512

      d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574

    • C:\Windows\Temp\_$Cf\fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add .doc

      Filesize

      26KB

      MD5

      98d2e1b1e786cefc381e7576dbac46f8

      SHA1

      8814708491d90b2e2788254a9bf38a163071d780

      SHA256

      1d5ddea2a2d81381bab9514567e8556fe8f6848505c8627b0bcdcfc49d24871e

      SHA512

      8e170c02ca257b77abec904d896bfede2c04d1dd25f5807379d3f4f5dc072ceeb3a5d2220c25ce9f2545bdbc21e6c2f19fe5f49fe8a8d922084127f841c52a5d

    • C:\Windows\Temp\_$Cf\osk.exe

      Filesize

      74KB

      MD5

      862a96836fe55f230039047fc1897b6f

      SHA1

      56a56c039d90714cefe7d2e7bb02e13c2b04764c

      SHA256

      0044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21

      SHA512

      d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574

    • C:\Windows\Temp\_$Cf\osk.exe

      Filesize

      74KB

      MD5

      862a96836fe55f230039047fc1897b6f

      SHA1

      56a56c039d90714cefe7d2e7bb02e13c2b04764c

      SHA256

      0044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21

      SHA512

      d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574

    • memory/1776-161-0x0000000011000000-0x000000001102F000-memory.dmp

      Filesize

      188KB

    • memory/1820-145-0x0000000011000000-0x000000001102F000-memory.dmp

      Filesize

      188KB

    • memory/1820-148-0x0000000011000000-0x000000001102F000-memory.dmp

      Filesize

      188KB

    • memory/2316-154-0x0000000011000000-0x000000001102F000-memory.dmp

      Filesize

      188KB

    • memory/4848-155-0x00007FFE28930000-0x00007FFE28940000-memory.dmp

      Filesize

      64KB

    • memory/4848-156-0x00007FFE28930000-0x00007FFE28940000-memory.dmp

      Filesize

      64KB

    • memory/4848-158-0x00007FFE28930000-0x00007FFE28940000-memory.dmp

      Filesize

      64KB

    • memory/4848-160-0x00007FFE28930000-0x00007FFE28940000-memory.dmp

      Filesize

      64KB

    • memory/4848-162-0x00007FFE28930000-0x00007FFE28940000-memory.dmp

      Filesize

      64KB

    • memory/4848-163-0x00007FFE26440000-0x00007FFE26450000-memory.dmp

      Filesize

      64KB

    • memory/5112-140-0x0000000011000000-0x000000001102F000-memory.dmp

      Filesize

      188KB

    • memory/5112-133-0x0000000011000000-0x000000001102F000-memory.dmp

      Filesize

      188KB