Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 06:19
Behavioral task
behavioral1
Sample
0522546519d4ec1efe7f947c291287db5219027476500c11a59984377c853308.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
0522546519d4ec1efe7f947c291287db5219027476500c11a59984377c853308.exe
Resource
win10v2004-20220812-en
General
-
Target
0522546519d4ec1efe7f947c291287db5219027476500c11a59984377c853308.exe
-
Size
140KB
-
MD5
438320792e6dc8bccb6beeba01f4dd82
-
SHA1
40373fc465ef56c422c7a6745a9030150202e619
-
SHA256
0522546519d4ec1efe7f947c291287db5219027476500c11a59984377c853308
-
SHA512
6a13589c647ca9b000ebf55856c42a8581fca0ba65dc0f87d4ef150724749be8232d78607fba345d6d514a8135bcd47052605ada6c563504b1e02973e71b1caa
-
SSDEEP
3072:lb4s/l8iiDXiYukRy9Vd746gh4Z91gCBzTz4y3/UHj7Nzspl+fXv:lB/l0Xi3uyJ7Mhy9dx3s3ff
Malware Config
Signatures
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ServiceTestDos\Parameters\ServiceDll = "C:\\Windows\\ServiceTestDos.dll" 0522546519d4ec1efe7f947c291287db5219027476500c11a59984377c853308.exe -
resource yara_rule behavioral2/memory/4204-132-0x0000000000F30000-0x0000000000F77000-memory.dmp vmprotect behavioral2/memory/4204-133-0x0000000000F30000-0x0000000000F77000-memory.dmp vmprotect behavioral2/files/0x0007000000022f48-134.dat vmprotect behavioral2/files/0x0007000000022f48-135.dat vmprotect behavioral2/memory/4960-136-0x0000000074CB0000-0x0000000074CF7000-memory.dmp vmprotect behavioral2/memory/4960-137-0x0000000074CB0000-0x0000000074CF7000-memory.dmp vmprotect behavioral2/memory/4204-138-0x0000000000F30000-0x0000000000F77000-memory.dmp vmprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 0522546519d4ec1efe7f947c291287db5219027476500c11a59984377c853308.exe -
Loads dropped DLL 1 IoCs
pid Process 4960 svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ServiceTestDos.dll 0522546519d4ec1efe7f947c291287db5219027476500c11a59984377c853308.exe File opened for modification C:\Windows\ServiceTestDos.dll 0522546519d4ec1efe7f947c291287db5219027476500c11a59984377c853308.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4204 wrote to memory of 4544 4204 0522546519d4ec1efe7f947c291287db5219027476500c11a59984377c853308.exe 82 PID 4204 wrote to memory of 4544 4204 0522546519d4ec1efe7f947c291287db5219027476500c11a59984377c853308.exe 82 PID 4204 wrote to memory of 4544 4204 0522546519d4ec1efe7f947c291287db5219027476500c11a59984377c853308.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\0522546519d4ec1efe7f947c291287db5219027476500c11a59984377c853308.exe"C:\Users\Admin\AppData\Local\Temp\0522546519d4ec1efe7f947c291287db5219027476500c11a59984377c853308.exe"1⤵
- Sets DLL path for service in the registry
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240575437.bat" "2⤵PID:4544
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k ServiceTestDos -s ServiceTestDos1⤵
- Loads dropped DLL
- Checks processor information in registry
PID:4960
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
239B
MD597394993285e7d16fcadf93288659fbc
SHA17b639440d8fb4d2925d223cd3e8693e2fee19f29
SHA256c824e32ec587d3695f1952b55da83d67a88c22feb8deafa688dd6452cf345c91
SHA5129e5d21d23f94cb1bddc4aca41df9166f2f5a6d0bbb7edac078398d2577e39ddef6ce10076bb81653dc39b27ccd191e413d34bd7e2c8dcdf86d7c1b823b7b3a7e
-
Filesize
140KB
MD53831fff43a1bcc807bf4669c1e352515
SHA1ad9a5a0ec91e9675ca7c748ecafc9823b8a12d9a
SHA256cc243035b16d0f86ea91c825043e90ac649b7f2eb749478ccac8581306b599a4
SHA512b531a2145d8f0779252add2db60d1704e363b73525dcf759457a9cddc0fa2ee7c43403debb2f42527dd88e30b1f07d97c46010482e836aef444abe513818fe25
-
Filesize
140KB
MD53831fff43a1bcc807bf4669c1e352515
SHA1ad9a5a0ec91e9675ca7c748ecafc9823b8a12d9a
SHA256cc243035b16d0f86ea91c825043e90ac649b7f2eb749478ccac8581306b599a4
SHA512b531a2145d8f0779252add2db60d1704e363b73525dcf759457a9cddc0fa2ee7c43403debb2f42527dd88e30b1f07d97c46010482e836aef444abe513818fe25