Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
162s -
max time network
197s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 14:21
Static task
static1
Behavioral task
behavioral1
Sample
a822048d81b2a907842eca75f2d57856ea752bd41c442b1d899b03b640ee240d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a822048d81b2a907842eca75f2d57856ea752bd41c442b1d899b03b640ee240d.exe
Resource
win10v2004-20220812-en
General
-
Target
a822048d81b2a907842eca75f2d57856ea752bd41c442b1d899b03b640ee240d.exe
-
Size
172KB
-
MD5
6a3c9bf858c46682d7536fe726250109
-
SHA1
beb225bdc17c8c46af575ec3bf492184f6aaeb12
-
SHA256
a822048d81b2a907842eca75f2d57856ea752bd41c442b1d899b03b640ee240d
-
SHA512
99a39b9127e6319bdd10e12c9cf5380a5c8c145dd0bbaca159b0dc3c8a613d1bcf3af9a372ec522242d5cf29f0e5bfffd226d58af2f48abfbe33fb27f70a19ee
-
SSDEEP
3072:y9qlz7agvSTbc6fx4lq3S36kgEZaHcNuJTuMcbrFzb:hSM6fx4lN6kvZa8NGuMcv
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1656 tffohody.exe 2688 tffohody.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\healm_whiq.lnk tffohody.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\healm_whiq.lnk tffohody.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PC Health Status = "C:\\Users\\Admin\\AppData\\Roaming\\tffohody.exe" tffohody.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PC Health Status = "C:\\Users\\Admin\\AppData\\Roaming\\tffohody.exe" tffohody.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1656 tffohody.exe 1656 tffohody.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3508 wrote to memory of 1656 3508 a822048d81b2a907842eca75f2d57856ea752bd41c442b1d899b03b640ee240d.exe 80 PID 3508 wrote to memory of 1656 3508 a822048d81b2a907842eca75f2d57856ea752bd41c442b1d899b03b640ee240d.exe 80 PID 3508 wrote to memory of 1656 3508 a822048d81b2a907842eca75f2d57856ea752bd41c442b1d899b03b640ee240d.exe 80 PID 1656 wrote to memory of 2688 1656 tffohody.exe 81 PID 1656 wrote to memory of 2688 1656 tffohody.exe 81 PID 1656 wrote to memory of 2688 1656 tffohody.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\a822048d81b2a907842eca75f2d57856ea752bd41c442b1d899b03b640ee240d.exe"C:\Users\Admin\AppData\Local\Temp\a822048d81b2a907842eca75f2d57856ea752bd41c442b1d899b03b640ee240d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Users\Admin\AppData\Roaming\tffohody.exe"C:\Users\Admin\AppData\Roaming\tffohody.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Users\Admin\AppData\Roaming\tffohody.exe"C:\Users\Admin\AppData\Roaming\tffohody.exe" FOOS3⤵
- Executes dropped EXE
PID:2688
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
546B
MD5d3695926b6b615fa7d8ba051d2c5157f
SHA15b1225e2c0b91c7204f30bb227590c72af6c0f8b
SHA256bbd3679d06a862a5ce1e993fff84b720dd4ee6a2a00eb71adf9ada1ffa513195
SHA5125dc823e69760dc6a8afcf6c62ba5a71e303ea57d657e940be3464cf091910fcb9cd96ef8fab9b7ed7e55f3fa087934966863ecac5a9749f88d9a3b07cb26f59a
-
Filesize
172KB
MD56a3c9bf858c46682d7536fe726250109
SHA1beb225bdc17c8c46af575ec3bf492184f6aaeb12
SHA256a822048d81b2a907842eca75f2d57856ea752bd41c442b1d899b03b640ee240d
SHA51299a39b9127e6319bdd10e12c9cf5380a5c8c145dd0bbaca159b0dc3c8a613d1bcf3af9a372ec522242d5cf29f0e5bfffd226d58af2f48abfbe33fb27f70a19ee
-
Filesize
172KB
MD56a3c9bf858c46682d7536fe726250109
SHA1beb225bdc17c8c46af575ec3bf492184f6aaeb12
SHA256a822048d81b2a907842eca75f2d57856ea752bd41c442b1d899b03b640ee240d
SHA51299a39b9127e6319bdd10e12c9cf5380a5c8c145dd0bbaca159b0dc3c8a613d1bcf3af9a372ec522242d5cf29f0e5bfffd226d58af2f48abfbe33fb27f70a19ee
-
Filesize
172KB
MD56a3c9bf858c46682d7536fe726250109
SHA1beb225bdc17c8c46af575ec3bf492184f6aaeb12
SHA256a822048d81b2a907842eca75f2d57856ea752bd41c442b1d899b03b640ee240d
SHA51299a39b9127e6319bdd10e12c9cf5380a5c8c145dd0bbaca159b0dc3c8a613d1bcf3af9a372ec522242d5cf29f0e5bfffd226d58af2f48abfbe33fb27f70a19ee