Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
155s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 13:42
Static task
static1
Behavioral task
behavioral1
Sample
2e4bcc2ab40030695c9d2c0973f64d17b53e9ec26dea245f7c5af426325982b7.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
2e4bcc2ab40030695c9d2c0973f64d17b53e9ec26dea245f7c5af426325982b7.exe
Resource
win10v2004-20221111-en
General
-
Target
2e4bcc2ab40030695c9d2c0973f64d17b53e9ec26dea245f7c5af426325982b7.exe
-
Size
662KB
-
MD5
cd642c5f2839697b4a5e08627cbf6f9b
-
SHA1
dff5b04da6edc740e4ba82cfba45afe22d08c7c4
-
SHA256
2e4bcc2ab40030695c9d2c0973f64d17b53e9ec26dea245f7c5af426325982b7
-
SHA512
942b2cfcf43308a972834ff2062cac4413cf071aa5f33eba6cf28fd8ce818e3bbab4d315945d6e553db76b6251b0ee7e21b0a71a0ad9e404ade6a660d798f186
-
SSDEEP
12288:z37h6cT888888888888W88888888888tO+Lp36ABo8YUoYBWzWgdutXsdTgKjtj0:j7hZel6WzWgduyJgKjTbOV6+YPa
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2600 adinstall.exe 3896 adinstall.tmp 448 metablogagent.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MetablogNewIssues = "C:\\Users\\Admin\\AppData\\Local\\MetablogNewIssues\\MetablogNewIssues.exe /byboot" adinstall.tmp Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\metablogagent = "C:\\Users\\Admin\\AppData\\Local\\MetablogNewIssues\\metablogagent.exe" adinstall.tmp Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run adinstall.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4816 2e4bcc2ab40030695c9d2c0973f64d17b53e9ec26dea245f7c5af426325982b7.exe 448 metablogagent.exe 448 metablogagent.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4816 wrote to memory of 2600 4816 2e4bcc2ab40030695c9d2c0973f64d17b53e9ec26dea245f7c5af426325982b7.exe 84 PID 4816 wrote to memory of 2600 4816 2e4bcc2ab40030695c9d2c0973f64d17b53e9ec26dea245f7c5af426325982b7.exe 84 PID 4816 wrote to memory of 2600 4816 2e4bcc2ab40030695c9d2c0973f64d17b53e9ec26dea245f7c5af426325982b7.exe 84 PID 2600 wrote to memory of 3896 2600 adinstall.exe 87 PID 2600 wrote to memory of 3896 2600 adinstall.exe 87 PID 2600 wrote to memory of 3896 2600 adinstall.exe 87 PID 3896 wrote to memory of 448 3896 adinstall.tmp 89 PID 3896 wrote to memory of 448 3896 adinstall.tmp 89 PID 3896 wrote to memory of 448 3896 adinstall.tmp 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e4bcc2ab40030695c9d2c0973f64d17b53e9ec26dea245f7c5af426325982b7.exe"C:\Users\Admin\AppData\Local\Temp\2e4bcc2ab40030695c9d2c0973f64d17b53e9ec26dea245f7c5af426325982b7.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Users\Admin\AppData\Local\Temp\adm\adinstall.exeC:\Users\Admin\AppData\Local\Temp\\adm\adinstall.exe /VERYSILENT /SUPPRESSMSGBOXES2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\is-41EB1.tmp\adinstall.tmp"C:\Users\Admin\AppData\Local\Temp\is-41EB1.tmp\adinstall.tmp" /SL5="$A004E,257361,138240,C:\Users\Admin\AppData\Local\Temp\adm\adinstall.exe" /VERYSILENT /SUPPRESSMSGBOXES3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Users\Admin\AppData\Local\MetablogNewIssues\metablogagent.exe"C:\Users\Admin\AppData\Local\MetablogNewIssues\metablogagent.exe" /install4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:448
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
126KB
MD50fcab5303210e2738b72b668cbfc2dbc
SHA1d809593e9257cd54f137eac5c7a75bb7a62cd0cf
SHA256f974e8b4795bee8c266df1bf4b0c2cd5221cdf34ad4ae7abee990387dabaab2c
SHA51282145163d0952322889e1352d28b8c89b15ed5aab8c69ebc6d73385e596dff517b22fc08de6d570894e04a5ac0f9a34db9841b9c449e74788061abaaaeb73ee1
-
Filesize
126KB
MD50fcab5303210e2738b72b668cbfc2dbc
SHA1d809593e9257cd54f137eac5c7a75bb7a62cd0cf
SHA256f974e8b4795bee8c266df1bf4b0c2cd5221cdf34ad4ae7abee990387dabaab2c
SHA51282145163d0952322889e1352d28b8c89b15ed5aab8c69ebc6d73385e596dff517b22fc08de6d570894e04a5ac0f9a34db9841b9c449e74788061abaaaeb73ee1
-
Filesize
633KB
MD5ab870789508865d907b4868890b299de
SHA159337bc37f47298d27d1a33441b3aa753d2581a9
SHA2566a77411d27b031b57769df1832a69a905397da8b2a07435d36ec7ceb57171af2
SHA51213646c8148198368d3a14d78d288df46a9d5c97575e5881067cafa10617e9c5d51680f3706555181672686e06bd91d6c64ebd346af1bb8854b7877d52b60b200
-
Filesize
633KB
MD5ab870789508865d907b4868890b299de
SHA159337bc37f47298d27d1a33441b3aa753d2581a9
SHA2566a77411d27b031b57769df1832a69a905397da8b2a07435d36ec7ceb57171af2
SHA51213646c8148198368d3a14d78d288df46a9d5c97575e5881067cafa10617e9c5d51680f3706555181672686e06bd91d6c64ebd346af1bb8854b7877d52b60b200
-
Filesize
1.1MB
MD5ef4643fb82df32a3d7fa4c8739c7006b
SHA1d2c7e71f33fb1c751946a42bf409e36a9ecb54e9
SHA256974700947c38a03e00e60fbcdb7c1132e8900a16ece8d3a6943458b230248abc
SHA512db3f1e0650f9708a27eb7171438a89b7f70624a6de22e6a5bc98ccf33e27cc0419f0ec589c03abe2b6c0ecaa46cfccd9f747bebd4e5d78d34148866e101ed51c
-
Filesize
1.1MB
MD5ef4643fb82df32a3d7fa4c8739c7006b
SHA1d2c7e71f33fb1c751946a42bf409e36a9ecb54e9
SHA256974700947c38a03e00e60fbcdb7c1132e8900a16ece8d3a6943458b230248abc
SHA512db3f1e0650f9708a27eb7171438a89b7f70624a6de22e6a5bc98ccf33e27cc0419f0ec589c03abe2b6c0ecaa46cfccd9f747bebd4e5d78d34148866e101ed51c