Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 02:27
Behavioral task
behavioral1
Sample
830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe
Resource
win10v2004-20220812-en
General
-
Target
830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe
-
Size
312KB
-
MD5
8a07e324c39401883d4f3e928ed38b3d
-
SHA1
4cb51deef671271cc5a69d4530800705d7dcda43
-
SHA256
830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf
-
SHA512
3d147d1899608645a81fcc012076dc31bc7b782d76b13ea790e895984119cf816937953d5337bc6096a3a61b092904229446d600f3983b9f5dee65126211f3e6
-
SSDEEP
3072:1RYfhn6IxI4BXzk6K6Tr5DOZeCzZPj8o3:rE5dXzkmMesL3
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 664 winlogon.exe 5084 winlogon.exe 2708 winlogon.exe 4072 winlogon.exe -
resource yara_rule behavioral2/memory/3836-132-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/memory/3836-136-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/memory/2132-135-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/2132-138-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/2132-139-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/2132-142-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/files/0x0006000000022e39-145.dat upx behavioral2/files/0x0006000000022e39-144.dat upx behavioral2/memory/2132-146-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/664-151-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/files/0x0006000000022e39-150.dat upx behavioral2/memory/5084-157-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/files/0x0006000000022e39-160.dat upx behavioral2/files/0x0006000000022e39-163.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3836 set thread context of 2132 3836 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 80 PID 664 set thread context of 5084 664 winlogon.exe 84 PID 5084 set thread context of 2708 5084 winlogon.exe 87 PID 5084 set thread context of 4072 5084 winlogon.exe 97 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4108 2708 WerFault.exe 87 628 4072 WerFault.exe 97 -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2132 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 5084 winlogon.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 3836 wrote to memory of 2252 3836 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 79 PID 3836 wrote to memory of 2252 3836 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 79 PID 3836 wrote to memory of 2252 3836 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 79 PID 3836 wrote to memory of 2132 3836 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 80 PID 3836 wrote to memory of 2132 3836 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 80 PID 3836 wrote to memory of 2132 3836 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 80 PID 3836 wrote to memory of 2132 3836 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 80 PID 3836 wrote to memory of 2132 3836 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 80 PID 3836 wrote to memory of 2132 3836 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 80 PID 3836 wrote to memory of 2132 3836 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 80 PID 3836 wrote to memory of 2132 3836 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 80 PID 2132 wrote to memory of 664 2132 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 82 PID 2132 wrote to memory of 664 2132 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 82 PID 2132 wrote to memory of 664 2132 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 82 PID 664 wrote to memory of 3328 664 winlogon.exe 83 PID 664 wrote to memory of 3328 664 winlogon.exe 83 PID 664 wrote to memory of 3328 664 winlogon.exe 83 PID 664 wrote to memory of 5084 664 winlogon.exe 84 PID 664 wrote to memory of 5084 664 winlogon.exe 84 PID 664 wrote to memory of 5084 664 winlogon.exe 84 PID 664 wrote to memory of 5084 664 winlogon.exe 84 PID 664 wrote to memory of 5084 664 winlogon.exe 84 PID 664 wrote to memory of 5084 664 winlogon.exe 84 PID 664 wrote to memory of 5084 664 winlogon.exe 84 PID 664 wrote to memory of 5084 664 winlogon.exe 84 PID 5084 wrote to memory of 2708 5084 winlogon.exe 87 PID 5084 wrote to memory of 2708 5084 winlogon.exe 87 PID 5084 wrote to memory of 2708 5084 winlogon.exe 87 PID 5084 wrote to memory of 2708 5084 winlogon.exe 87 PID 5084 wrote to memory of 2708 5084 winlogon.exe 87 PID 5084 wrote to memory of 2708 5084 winlogon.exe 87 PID 5084 wrote to memory of 2708 5084 winlogon.exe 87 PID 5084 wrote to memory of 2708 5084 winlogon.exe 87 PID 5084 wrote to memory of 4072 5084 winlogon.exe 97 PID 5084 wrote to memory of 4072 5084 winlogon.exe 97 PID 5084 wrote to memory of 4072 5084 winlogon.exe 97 PID 5084 wrote to memory of 4072 5084 winlogon.exe 97 PID 5084 wrote to memory of 4072 5084 winlogon.exe 97 PID 5084 wrote to memory of 4072 5084 winlogon.exe 97 PID 5084 wrote to memory of 4072 5084 winlogon.exe 97 PID 5084 wrote to memory of 4072 5084 winlogon.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe"C:\Users\Admin\AppData\Local\Temp\830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\\svchost.exe2⤵PID:2252
-
-
C:\Users\Admin\AppData\Local\Temp\830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\\svchost.exe4⤵PID:3328
-
-
C:\Users\Admin\E696D64614\winlogon.exe
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"5⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 126⤵
- Program crash
PID:4108
-
-
-
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"5⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 126⤵
- Program crash
PID:628
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2708 -ip 27081⤵PID:5064
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4072 -ip 40721⤵PID:4012
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
312KB
MD58a07e324c39401883d4f3e928ed38b3d
SHA14cb51deef671271cc5a69d4530800705d7dcda43
SHA256830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf
SHA5123d147d1899608645a81fcc012076dc31bc7b782d76b13ea790e895984119cf816937953d5337bc6096a3a61b092904229446d600f3983b9f5dee65126211f3e6
-
Filesize
312KB
MD58a07e324c39401883d4f3e928ed38b3d
SHA14cb51deef671271cc5a69d4530800705d7dcda43
SHA256830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf
SHA5123d147d1899608645a81fcc012076dc31bc7b782d76b13ea790e895984119cf816937953d5337bc6096a3a61b092904229446d600f3983b9f5dee65126211f3e6
-
Filesize
312KB
MD58a07e324c39401883d4f3e928ed38b3d
SHA14cb51deef671271cc5a69d4530800705d7dcda43
SHA256830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf
SHA5123d147d1899608645a81fcc012076dc31bc7b782d76b13ea790e895984119cf816937953d5337bc6096a3a61b092904229446d600f3983b9f5dee65126211f3e6
-
Filesize
312KB
MD58a07e324c39401883d4f3e928ed38b3d
SHA14cb51deef671271cc5a69d4530800705d7dcda43
SHA256830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf
SHA5123d147d1899608645a81fcc012076dc31bc7b782d76b13ea790e895984119cf816937953d5337bc6096a3a61b092904229446d600f3983b9f5dee65126211f3e6
-
Filesize
312KB
MD58a07e324c39401883d4f3e928ed38b3d
SHA14cb51deef671271cc5a69d4530800705d7dcda43
SHA256830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf
SHA5123d147d1899608645a81fcc012076dc31bc7b782d76b13ea790e895984119cf816937953d5337bc6096a3a61b092904229446d600f3983b9f5dee65126211f3e6