Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
159s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 16:44
Behavioral task
behavioral1
Sample
dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe
Resource
win10v2004-20221111-en
General
-
Target
dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe
-
Size
98KB
-
MD5
25b3f992c2ab8e8b12e8684dcd00e5e0
-
SHA1
c05df6faa70f9311f5ff39ed3f117cbba4c1e9e3
-
SHA256
dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1
-
SHA512
6adf828c448297d68e0842ad74f36674ab0d2fa1dd5a2a1d35cfc7a9078868e71d1f250be220abc88f7c73675b9218f8e4b845ed5bc42942ba6dc69213243897
-
SSDEEP
1536:MMMamqCubWRVoIHQ9SMxevLrs9zq/+gMYq0rkIdHx9mB8HxWZozbY6BJymq7vUq:IQbWwIHEgv0QpMTIlXWZozbYPmeqV
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\WINDOWS\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\lsass.exe" reg.exe -
resource yara_rule behavioral2/memory/1560-132-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral2/memory/1560-134-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral2/memory/1560-141-0x0000000000400000-0x0000000000431000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1580 cmd.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 1560 wrote to memory of 1252 1560 dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe 79 PID 1560 wrote to memory of 1252 1560 dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe 79 PID 1560 wrote to memory of 1252 1560 dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe 79 PID 1560 wrote to memory of 780 1560 dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe 81 PID 1560 wrote to memory of 780 1560 dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe 81 PID 1560 wrote to memory of 780 1560 dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe 81 PID 1560 wrote to memory of 4576 1560 dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe 83 PID 1560 wrote to memory of 4576 1560 dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe 83 PID 1560 wrote to memory of 4576 1560 dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe 83 PID 1560 wrote to memory of 1460 1560 dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe 86 PID 1560 wrote to memory of 1460 1560 dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe 86 PID 1560 wrote to memory of 1460 1560 dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe 86 PID 1252 wrote to memory of 1580 1252 cmd.exe 85 PID 1252 wrote to memory of 1580 1252 cmd.exe 85 PID 1252 wrote to memory of 1580 1252 cmd.exe 85 PID 780 wrote to memory of 2304 780 cmd.exe 88 PID 780 wrote to memory of 2304 780 cmd.exe 88 PID 780 wrote to memory of 2304 780 cmd.exe 88 PID 4576 wrote to memory of 2560 4576 cmd.exe 89 PID 4576 wrote to memory of 2560 4576 cmd.exe 89 PID 4576 wrote to memory of 2560 4576 cmd.exe 89 PID 2304 wrote to memory of 2484 2304 cmd.exe 90 PID 2304 wrote to memory of 2484 2304 cmd.exe 90 PID 2304 wrote to memory of 2484 2304 cmd.exe 90 PID 2560 wrote to memory of 4836 2560 cmd.exe 91 PID 2560 wrote to memory of 4836 2560 cmd.exe 91 PID 2560 wrote to memory of 4836 2560 cmd.exe 91 PID 1460 wrote to memory of 4916 1460 cmd.exe 92 PID 1460 wrote to memory of 4916 1460 cmd.exe 92 PID 1460 wrote to memory of 4916 1460 cmd.exe 92 PID 4916 wrote to memory of 2716 4916 cmd.exe 93 PID 4916 wrote to memory of 2716 4916 cmd.exe 93 PID 4916 wrote to memory of 2716 4916 cmd.exe 93 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 4836 attrib.exe 2716 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe"C:\Users\Admin\AppData\Local\Temp\dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd /c move /y "C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe" "C:\Users\Admin\AppData\lsass.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\cmd.execmd /c move /y "C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\dfd8bb785c53a7b2d3cddf680dbb1388d6089450a65ca8e9b7f5f5168ec028e1.exe" "C:\Users\Admin\AppData\lsass.exe"3⤵
- Suspicious behavior: RenamesItself
PID:1580
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd /c reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon" /v userinit /t reg_sz /d "C:\WINDOWS\system32\userinit.exe,C:\Users\Admin\AppData\lsass.exe" /f2⤵
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\cmd.execmd /c reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon" /v userinit /t reg_sz /d "C:\WINDOWS\system32\userinit.exe,C:\Users\Admin\AppData\lsass.exe" /f3⤵
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\reg.exereg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon" /v userinit /t reg_sz /d "C:\WINDOWS\system32\userinit.exe,C:\Users\Admin\AppData\lsass.exe" /f4⤵
- Modifies WinLogon for persistence
PID:2484
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd /c attrib +h "C:\Users\Admin\AppData\lsass.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\cmd.execmd /c attrib +h "C:\Users\Admin\AppData\lsass.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Users\Admin\AppData\lsass.exe"4⤵
- Views/modifies file attributes
PID:4836
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd /c attrib +h "C:\Users\Admin\AppData"2⤵
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\cmd.execmd /c attrib +h "C:\Users\Admin\AppData"3⤵
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Users\Admin\AppData"4⤵
- Views/modifies file attributes
PID:2716
-
-
-