Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 08:28
Static task
static1
Behavioral task
behavioral1
Sample
9b6d5394830b08a9ce69e56878d1abbaa4f5491df5ee067dc3f5e834e543cd59.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
9b6d5394830b08a9ce69e56878d1abbaa4f5491df5ee067dc3f5e834e543cd59.exe
Resource
win10v2004-20220812-en
General
-
Target
9b6d5394830b08a9ce69e56878d1abbaa4f5491df5ee067dc3f5e834e543cd59.exe
-
Size
4.0MB
-
MD5
a9f01eb697acc0e76024d77fcb62a14d
-
SHA1
8f6b0623d264e68206cd33e5e712453b8277269e
-
SHA256
9b6d5394830b08a9ce69e56878d1abbaa4f5491df5ee067dc3f5e834e543cd59
-
SHA512
2057c1aa58bba04c6ce86745a8ae3c90b6725eb6a4aa237416f1aa65d9bc1bace5136ed24fc87e7d542be36cdd53c21883842bf16c663d7d37854333dcf30823
-
SSDEEP
98304:1nFy46gTWZMmAbYfSdWAXVjLFvYhcTgr1jLheG:NFH6E05foXVPehcTk1jLhr
Malware Config
Signatures
-
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts mrvujoukrvz.exe File opened for modification C:\Windows\system32\drivers\etc\hosts cmd.exe File created C:\Windows\system32\drivers\etc\hоsts cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2200 mrvujoukrvz.exe 4664 Kopatel-Online-new-Chit-na-DENGI.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 9b6d5394830b08a9ce69e56878d1abbaa4f5491df5ee067dc3f5e834e543cd59.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation mrvujoukrvz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 1520 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4664 Kopatel-Online-new-Chit-na-DENGI.exe 4664 Kopatel-Online-new-Chit-na-DENGI.exe 4664 Kopatel-Online-new-Chit-na-DENGI.exe 4664 Kopatel-Online-new-Chit-na-DENGI.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1520 taskkill.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2200 mrvujoukrvz.exe 2200 mrvujoukrvz.exe 4888 cmd.exe 4664 Kopatel-Online-new-Chit-na-DENGI.exe 4664 Kopatel-Online-new-Chit-na-DENGI.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4584 wrote to memory of 2200 4584 9b6d5394830b08a9ce69e56878d1abbaa4f5491df5ee067dc3f5e834e543cd59.exe 78 PID 4584 wrote to memory of 2200 4584 9b6d5394830b08a9ce69e56878d1abbaa4f5491df5ee067dc3f5e834e543cd59.exe 78 PID 4584 wrote to memory of 2200 4584 9b6d5394830b08a9ce69e56878d1abbaa4f5491df5ee067dc3f5e834e543cd59.exe 78 PID 2200 wrote to memory of 4888 2200 mrvujoukrvz.exe 80 PID 2200 wrote to memory of 4888 2200 mrvujoukrvz.exe 80 PID 2200 wrote to memory of 4888 2200 mrvujoukrvz.exe 80 PID 4888 wrote to memory of 3612 4888 cmd.exe 82 PID 4888 wrote to memory of 3612 4888 cmd.exe 82 PID 4888 wrote to memory of 3612 4888 cmd.exe 82 PID 2200 wrote to memory of 4664 2200 mrvujoukrvz.exe 83 PID 2200 wrote to memory of 4664 2200 mrvujoukrvz.exe 83 PID 2200 wrote to memory of 4664 2200 mrvujoukrvz.exe 83 PID 4888 wrote to memory of 1520 4888 cmd.exe 84 PID 4888 wrote to memory of 1520 4888 cmd.exe 84 PID 4888 wrote to memory of 1520 4888 cmd.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b6d5394830b08a9ce69e56878d1abbaa4f5491df5ee067dc3f5e834e543cd59.exe"C:\Users\Admin\AppData\Local\Temp\9b6d5394830b08a9ce69e56878d1abbaa4f5491df5ee067dc3f5e834e543cd59.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Users\Admin\AppData\Local\Temp\mrvujoukrvz.exe"C:\Users\Admin\AppData\Local\Temp\mrvujoukrvz.exe" exuuhyr.bat++Kopatel-Online-new-Chit-na-DENGI.exe++++++++2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c exuuhyr.bat3⤵
- Drops file in Drivers directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\chcp.comchcp 8664⤵PID:3612
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "praetorian.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
-
C:\Users\Admin\AppData\Local\Temp\Kopatel-Online-new-Chit-na-DENGI.exe"C:\Users\Admin\AppData\Local\Temp\Kopatel-Online-new-Chit-na-DENGI.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4664
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.4MB
MD571adbe0979989bbe9f71f35aac23706f
SHA176264dd225f0672162c3c0c654b966798953343c
SHA256ec189b25868064e6056a9fd34cfc9797b856dc2c4b4f4c04ad4d4b966e98dc0a
SHA5121d9dce0b604b7bccc32b89a72b3dbacaecc61d566e68b6faa762d50ab854b5be7b4b12d93546dfd6e609aa31140340f8857ac0d0bd150d68d74edf8c44286aa3
-
Filesize
4.4MB
MD571adbe0979989bbe9f71f35aac23706f
SHA176264dd225f0672162c3c0c654b966798953343c
SHA256ec189b25868064e6056a9fd34cfc9797b856dc2c4b4f4c04ad4d4b966e98dc0a
SHA5121d9dce0b604b7bccc32b89a72b3dbacaecc61d566e68b6faa762d50ab854b5be7b4b12d93546dfd6e609aa31140340f8857ac0d0bd150d68d74edf8c44286aa3
-
Filesize
6KB
MD51e1c897ec096ce398e6ea97c45250418
SHA1556d757b1659da91205533bb180245e60222dba9
SHA25610b69869db046bc520f1320b893ea3930f9745f6057dc0d5bc16ac39ccbb29f9
SHA512b4cdfa779db06713027fae05972c108c82556746d5ce9a8f79c539659831e3e5728c15a9104922d21e2896198a74153e1b80de215c3be6184ace585bf36bfd82
-
Filesize
79KB
MD5b49d04a1ba0b7b996d5796291cb100f6
SHA1a6b9d7744d737fd9e6a63cfd1453429791a9c2c3
SHA256e0b7e1e3ca55e72e1c24ebecd851a7b0b6316c0db0d128a6dc8bd587cf280b7d
SHA512e9e0af58b69c438426ce618c9b8d975aab6c6219f19d3e889a1203d972c8feb78ac9669544fb9272d0bdbc13110e0c43c9b09423371a665ec33c85e5ac8733d3
-
Filesize
79KB
MD5b49d04a1ba0b7b996d5796291cb100f6
SHA1a6b9d7744d737fd9e6a63cfd1453429791a9c2c3
SHA256e0b7e1e3ca55e72e1c24ebecd851a7b0b6316c0db0d128a6dc8bd587cf280b7d
SHA512e9e0af58b69c438426ce618c9b8d975aab6c6219f19d3e889a1203d972c8feb78ac9669544fb9272d0bdbc13110e0c43c9b09423371a665ec33c85e5ac8733d3
-
Filesize
609B
MD5a99a2ac6ad1054d50981cb6220b19812
SHA1c41d8af4ea09ee3287175043355af1f9003ad085
SHA25672f44f0ba6f691c091ad6d2b254adfbe8ef8d5ba7aa224dbf65b7e8537862532
SHA5129b00a060b0ae28f998e2e1eebe2f5f1d31c7e1b8b8edf148f8becddd596edc6105274eccb39cb299438226745376af58fd903f7d08d0d8518f6f24eb47dbca02