Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5dde7ff46a...4a.exe

windows7-x64

10

5dde7ff46a...4a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    178s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/12/2022, 23:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5dde7ff46ab5ad1ebab20bed28cfd6ae634ab9524ebdee5befeab3b3fff1c94a.exe

  • Size

    152KB

  • MD5

    b46966189200a55ad8ef9156d878778a

  • SHA1

    21a507953df2625d58ea07e901feac4569de301f

  • SHA256

    5dde7ff46ab5ad1ebab20bed28cfd6ae634ab9524ebdee5befeab3b3fff1c94a

  • SHA512

    e1b59870ac7668752f9b9845dbde56f849cdc283a0be6e76684a5df113e74a6bb60acd5376188b0a11be005eb6f14571ada0a1e6d178a367764539ad5605b50b

  • SSDEEP

    3072:n3sevl3Po5+tTjFqV+t3DRGCKBiAKD4oQZiEejq:XQ5+t8+NDR5AgWwO

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5dde7ff46ab5ad1ebab20bed28cfd6ae634ab9524ebdee5befeab3b3fff1c94a.exe
    "C:\Users\Admin\AppData\Local\Temp\5dde7ff46ab5ad1ebab20bed28cfd6ae634ab9524ebdee5befeab3b3fff1c94a.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1832
    • C:\Users\Admin\siehab.exe
      "C:\Users\Admin\siehab.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4344

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\siehab.exe
    Filesize

    152KB

    MD5

    8a7e88f1fc9bc48022eddf2f8e3b6ea0

    SHA1

    d9bdae173078c92cf08d76bc2193995a73e6b06b

    SHA256

    37ce32761771935925fba9e5d60c57620345c1973562a6f8075487eb97487398

    SHA512

    67fe253183f344958e38fcd6d7140915d4f49e281f3820fc95a1c13a2faca412f55c0c7945e78e330663351dc855e89c146e61821485ac3b2cbc6d4c6d2e2665

    Download Submit

  • C:\Users\Admin\siehab.exe
    Filesize

    152KB

    MD5

    8a7e88f1fc9bc48022eddf2f8e3b6ea0

    SHA1

    d9bdae173078c92cf08d76bc2193995a73e6b06b

    SHA256

    37ce32761771935925fba9e5d60c57620345c1973562a6f8075487eb97487398

    SHA512

    67fe253183f344958e38fcd6d7140915d4f49e281f3820fc95a1c13a2faca412f55c0c7945e78e330663351dc855e89c146e61821485ac3b2cbc6d4c6d2e2665

    Download Submit