Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
206s -
max time network
218s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 05:49
Static task
static1
Behavioral task
behavioral1
Sample
1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe
Resource
win10v2004-20221111-en
General
-
Target
1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe
-
Size
3.1MB
-
MD5
6460c9956bd90b9fc83d318aac0c72f7
-
SHA1
130d7cd6d44234a2c8b78bb10a592539ecae0703
-
SHA256
1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e
-
SHA512
d33c712830bd31d16eb7aba30eaf331cef6ac6a5b06c5be0180411caa5828e147db8379991431cb2098ee5ff00437cc2c7e333930df215b2856d5b30da768603
-
SSDEEP
49152:T0T9a9PH8kmpnUYBTGpax+5jrdewURNGzGo5KG+jLcasY6DwOBfrnvV7UeWtPNZ:TQofrJuTGKnwURNGUnjQYiwOBpIeWHZ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4160 1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe -
Loads dropped DLL 1 IoCs
pid Process 4160 1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini 1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe File opened for modification C:\Windows\assembly\Desktop.ini 1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4160 1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly\Desktop.ini 1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe File opened for modification C:\Windows\assembly 1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe File created C:\Windows\assembly\Desktop.ini 1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4160 1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe 4160 1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4160 1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2324 wrote to memory of 4160 2324 1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe 86 PID 2324 wrote to memory of 4160 2324 1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe 86 PID 2324 wrote to memory of 4160 2324 1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe"C:\Users\Admin\AppData\Local\Temp\1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\mswdzyhk.gtv\1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe"C:\Users\Admin\AppData\Local\Temp\mswdzyhk.gtv\1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4160
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe.log
Filesize312B
MD5d4b49ac61a6cac139f96450777c10204
SHA192089d33442c9e2eaceac3ed8db6a7168f938e5a
SHA256807bdfa62a4312030c1ed54981674cff77f6108e6b4957754cabb810098ce082
SHA512eb13a0e7f0d4b44db7e8d0625ba1ee6a036083c39c24b85493d3ec9074ada03eb7003b97bd92ed5f2baaf26295a4690303332593c4776e75da5bc3b6adbc3ea6
-
C:\Users\Admin\AppData\Local\Temp\mswdzyhk.gtv\1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe
Filesize3.0MB
MD57d590bccd10a91278a1d0c1db1e6886f
SHA1b95b286fa7ba1457bb7a93b06761177e84b0c8e2
SHA256cb17a248e6356ce4b8ee44f6eb567d7a16f093dbe2706928861d0920825d4155
SHA51200a9acda8e00c00c3e89bf5aa7de555dfd37c41c93f260114f07376dc586b5dc8feaa4712a0b15e335ebb31d550856c812f00683cbc9a6b94b8dbab0c89f88d9
-
C:\Users\Admin\AppData\Local\Temp\mswdzyhk.gtv\1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe
Filesize3.0MB
MD57d590bccd10a91278a1d0c1db1e6886f
SHA1b95b286fa7ba1457bb7a93b06761177e84b0c8e2
SHA256cb17a248e6356ce4b8ee44f6eb567d7a16f093dbe2706928861d0920825d4155
SHA51200a9acda8e00c00c3e89bf5aa7de555dfd37c41c93f260114f07376dc586b5dc8feaa4712a0b15e335ebb31d550856c812f00683cbc9a6b94b8dbab0c89f88d9
-
Filesize
893KB
MD504ad4b80880b32c94be8d0886482c774
SHA1344faf61c3eb76f4a2fb6452e83ed16c9cce73e0
SHA256a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338
SHA5123e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb