Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 21:30
Behavioral task
behavioral1
Sample
8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe
Resource
win10v2004-20220812-en
General
-
Target
8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe
-
Size
1.1MB
-
MD5
df9429e6d8cba999535e34a945b847ef
-
SHA1
262d84caf14b46c76f91aa6c1ed1b3b5013a7d25
-
SHA256
8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8
-
SHA512
a9484bda3fbed8ff84a95be1f25f17b79d57ffe434b3f1e4594d75bdcfdeaa8bc8a0f705175be431357201fa9c1a738fb55a76befe771577c53fc211487699c6
-
SSDEEP
24576:XOIFnM1rGoN1PSWr47HfgXt6b3sCj8nROEbapxS/TRL4cYUuY:+IUlGWrI/g96rskARokNYM
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1448 explorer.exe 3068 taskmgr.exe -
resource yara_rule behavioral2/memory/2564-132-0x0000000000400000-0x00000000005E2000-memory.dmp upx behavioral2/files/0x0007000000022e1c-134.dat upx behavioral2/files/0x0007000000022e1c-135.dat upx behavioral2/memory/2564-136-0x0000000000400000-0x00000000005E2000-memory.dmp upx behavioral2/memory/1448-137-0x0000000000400000-0x0000000000525000-memory.dmp upx behavioral2/files/0x0007000000022e1d-139.dat upx behavioral2/files/0x0007000000022e1d-140.dat upx behavioral2/memory/3068-141-0x0000000000400000-0x0000000000525000-memory.dmp upx behavioral2/memory/1448-142-0x0000000000400000-0x0000000000525000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NvCpu = "C:\\Windows\\NvCpu.exe" 8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\4080\Info\explorer.exe 8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe File created C:\Windows\4080\taskmgr.exe explorer.exe File opened for modification C:\Windows\4080\taskmgr.exe explorer.exe File created C:\Windows\8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe 8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe File created C:\Windows\NvCpu.exe 8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1448 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2564 wrote to memory of 1448 2564 8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe 78 PID 2564 wrote to memory of 1448 2564 8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe 78 PID 2564 wrote to memory of 1448 2564 8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe 78 PID 1448 wrote to memory of 3068 1448 explorer.exe 79 PID 1448 wrote to memory of 3068 1448 explorer.exe 79 PID 1448 wrote to memory of 3068 1448 explorer.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe"C:\Users\Admin\AppData\Local\Temp\8afd7030956cb386cb839002f99a47e8278dd6347b7661c578e722d07d2304e8.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\4080\Info\explorer.exeC:\Windows\4080\Info\explorer.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\4080\taskmgr.exeC:\Windows\4080\taskmgr.exe3⤵
- Executes dropped EXE
PID:3068
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
605KB
MD58a0b19899cddf09f2385c798674a25ce
SHA1979a65d873b89896c79c4f3e7a676402d13c9d29
SHA256bc32f193aa6d1ae528308066801908dcd7a26e0f8c4ac7079e78c6a3125344a8
SHA512dc5fb3af9faa99b2e9004941c7bd52a27caaa485e8ca22202860d1474e4bca1fadc7c71b4db64a0cb16eb0cee29c89fc4a92e75f3c4b208e1de623f98261e2eb
-
Filesize
605KB
MD58a0b19899cddf09f2385c798674a25ce
SHA1979a65d873b89896c79c4f3e7a676402d13c9d29
SHA256bc32f193aa6d1ae528308066801908dcd7a26e0f8c4ac7079e78c6a3125344a8
SHA512dc5fb3af9faa99b2e9004941c7bd52a27caaa485e8ca22202860d1474e4bca1fadc7c71b4db64a0cb16eb0cee29c89fc4a92e75f3c4b208e1de623f98261e2eb
-
Filesize
605KB
MD58a0b19899cddf09f2385c798674a25ce
SHA1979a65d873b89896c79c4f3e7a676402d13c9d29
SHA256bc32f193aa6d1ae528308066801908dcd7a26e0f8c4ac7079e78c6a3125344a8
SHA512dc5fb3af9faa99b2e9004941c7bd52a27caaa485e8ca22202860d1474e4bca1fadc7c71b4db64a0cb16eb0cee29c89fc4a92e75f3c4b208e1de623f98261e2eb
-
Filesize
605KB
MD58a0b19899cddf09f2385c798674a25ce
SHA1979a65d873b89896c79c4f3e7a676402d13c9d29
SHA256bc32f193aa6d1ae528308066801908dcd7a26e0f8c4ac7079e78c6a3125344a8
SHA512dc5fb3af9faa99b2e9004941c7bd52a27caaa485e8ca22202860d1474e4bca1fadc7c71b4db64a0cb16eb0cee29c89fc4a92e75f3c4b208e1de623f98261e2eb