Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
159s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 09:30
Static task
static1
Behavioral task
behavioral1
Sample
66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c.exe
Resource
win10v2004-20220812-en
General
-
Target
66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c.exe
-
Size
477KB
-
MD5
6987e9b81baccbb1dee2feff78dee9d0
-
SHA1
018411350364a911a5022355e0de7aa532ab249e
-
SHA256
66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c
-
SHA512
5657e7b25bf72a08bce0eaf875193c8f14e20841cb4cb054fe87b9c6ba5c489f62d8dcdd20f97ed9a7719cea0a9e31edcb2743bde7e7654a1a2726d2d8a01316
-
SSDEEP
12288:9PTveekpmU2GxQA5dZWkZK6nPqM+WcD4ellNrr/w:9I24QAhWhWMHD4MlNHw
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4904 ebzob.exe 3804 royjv.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation ebzob.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe 3804 royjv.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 5072 wrote to memory of 4904 5072 66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c.exe 82 PID 5072 wrote to memory of 4904 5072 66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c.exe 82 PID 5072 wrote to memory of 4904 5072 66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c.exe 82 PID 5072 wrote to memory of 4336 5072 66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c.exe 83 PID 5072 wrote to memory of 4336 5072 66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c.exe 83 PID 5072 wrote to memory of 4336 5072 66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c.exe 83 PID 4904 wrote to memory of 3804 4904 ebzob.exe 93 PID 4904 wrote to memory of 3804 4904 ebzob.exe 93 PID 4904 wrote to memory of 3804 4904 ebzob.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c.exe"C:\Users\Admin\AppData\Local\Temp\66dfb70ef70159b6dca15976c2e43346cacdb36b8e1b2cb71ebcfa2f884fcd4c.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Users\Admin\AppData\Local\Temp\ebzob.exe"C:\Users\Admin\AppData\Local\Temp\ebzob.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Users\Admin\AppData\Local\Temp\royjv.exe"C:\Users\Admin\AppData\Local\Temp\royjv.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3804
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵PID:4336
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5c8dfed3e6f1f85f6187468df9a969ed5
SHA160f3e21aff4c99c4cd370b8605b8e0c0df475915
SHA2566e02b80c26399e417a1823fe39edba9a86a4cd674f9f3f516a8b4a03a0b579b1
SHA512f16453658c359b882b96c2a21f57ad2b09e731c1d5d2dbaed80b3ed2666b2007f591ece1eb28387abcd526b739f89b2b3cd821cf0cca5a313bb5860f4720c22e
-
Filesize
477KB
MD5a2fc2bbb2a198377b61dfe21d7da777b
SHA176e5b737370c05a6c9f678116567348812e32906
SHA256716123837dad836c3bbe760d57a79a3eb25a4e7718cf59b4bd716d19065c8ac5
SHA5120aadc18d11e7e9bffdab3b4e2c373ce39843fbf958c3e4a3301d7e01ccd2671d94100208392ec4675c7370c9d54d51a1ea12831b5786b38a8a00d9e80643302f
-
Filesize
477KB
MD5a2fc2bbb2a198377b61dfe21d7da777b
SHA176e5b737370c05a6c9f678116567348812e32906
SHA256716123837dad836c3bbe760d57a79a3eb25a4e7718cf59b4bd716d19065c8ac5
SHA5120aadc18d11e7e9bffdab3b4e2c373ce39843fbf958c3e4a3301d7e01ccd2671d94100208392ec4675c7370c9d54d51a1ea12831b5786b38a8a00d9e80643302f
-
Filesize
512B
MD5473c00bb6440ea206732f4d43911a7f6
SHA1314828c7825e8354dea4f2722482d2432ffa540d
SHA2567388e76a573e3f18daa858e3579bbbe7dddbeb56113fc1b08125210b8ab5ba6d
SHA512d1a1139a30846a564727d1ade0b8d12cb799d1c6d3ba4b7390c54a9e12f3d87ed6f4ced6073274c18405dadfc10b35fde398f933d9e8d5d6f131398d3df7da34
-
Filesize
236KB
MD560a11ef738d21c85d3a63136716c6e13
SHA10e78a704afdbc48aff6adee7bee7a53b0f529cb6
SHA256a131da9b165d2b71d661ca1210675ed869cbd639cb87b38290cfb72f95949af7
SHA512353d95143060f223dfe0493ac738ee1145ea277cec7d3a21a77d5967977c253fcaa9410075346da06620c8d22f3696644e539687f5184c514c021412a021bb33
-
Filesize
236KB
MD560a11ef738d21c85d3a63136716c6e13
SHA10e78a704afdbc48aff6adee7bee7a53b0f529cb6
SHA256a131da9b165d2b71d661ca1210675ed869cbd639cb87b38290cfb72f95949af7
SHA512353d95143060f223dfe0493ac738ee1145ea277cec7d3a21a77d5967977c253fcaa9410075346da06620c8d22f3696644e539687f5184c514c021412a021bb33