Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 17:11
Static task
static1
Behavioral task
behavioral1
Sample
d1a00e18217db0c01b1cd575a9bb720826bd5241c9602270a40dc881dd22fdc2.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
d1a00e18217db0c01b1cd575a9bb720826bd5241c9602270a40dc881dd22fdc2.exe
Resource
win10v2004-20220812-en
General
-
Target
d1a00e18217db0c01b1cd575a9bb720826bd5241c9602270a40dc881dd22fdc2.exe
-
Size
153KB
-
MD5
bf70b35669b6f1cadf7d9d50c2d32749
-
SHA1
b4f6638676d7a777891cecbdaad337451f0c09f4
-
SHA256
d1a00e18217db0c01b1cd575a9bb720826bd5241c9602270a40dc881dd22fdc2
-
SHA512
a1f86fbe1531e50a8ad31a954b469db6b01f0a45309fc9310675dc62889d756ca0dfb7e1a9231f64643ea3a07b47966b4e009df3028a38da16fc730a73821fe6
-
SSDEEP
3072:/3oJPHt/Ta8oButTBfDA9/IiAkSkaVcBgv8JyfeGYmXHEy:/0TalButTBE9AuSLiUmMv
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4832 1.exe 3008 ¸´¼þ 1.exe -
resource yara_rule behavioral2/files/0x0006000000022e19-133.dat upx behavioral2/files/0x0006000000022e1a-135.dat upx behavioral2/files/0x0006000000022e19-136.dat upx behavioral2/files/0x0006000000022e1a-137.dat upx behavioral2/memory/4832-142-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral2/memory/3008-143-0x0000000000400000-0x0000000000424000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation d1a00e18217db0c01b1cd575a9bb720826bd5241c9602270a40dc881dd22fdc2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4516 d1a00e18217db0c01b1cd575a9bb720826bd5241c9602270a40dc881dd22fdc2.exe 4516 d1a00e18217db0c01b1cd575a9bb720826bd5241c9602270a40dc881dd22fdc2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4516 wrote to memory of 4832 4516 d1a00e18217db0c01b1cd575a9bb720826bd5241c9602270a40dc881dd22fdc2.exe 79 PID 4516 wrote to memory of 4832 4516 d1a00e18217db0c01b1cd575a9bb720826bd5241c9602270a40dc881dd22fdc2.exe 79 PID 4516 wrote to memory of 4832 4516 d1a00e18217db0c01b1cd575a9bb720826bd5241c9602270a40dc881dd22fdc2.exe 79 PID 4516 wrote to memory of 3008 4516 d1a00e18217db0c01b1cd575a9bb720826bd5241c9602270a40dc881dd22fdc2.exe 81 PID 4516 wrote to memory of 3008 4516 d1a00e18217db0c01b1cd575a9bb720826bd5241c9602270a40dc881dd22fdc2.exe 81 PID 4516 wrote to memory of 3008 4516 d1a00e18217db0c01b1cd575a9bb720826bd5241c9602270a40dc881dd22fdc2.exe 81 PID 4832 wrote to memory of 3472 4832 1.exe 84 PID 4832 wrote to memory of 3472 4832 1.exe 84 PID 4832 wrote to memory of 3472 4832 1.exe 84 PID 3008 wrote to memory of 4116 3008 ¸´¼þ 1.exe 83 PID 3008 wrote to memory of 4116 3008 ¸´¼þ 1.exe 83 PID 3008 wrote to memory of 4116 3008 ¸´¼þ 1.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1a00e18217db0c01b1cd575a9bb720826bd5241c9602270a40dc881dd22fdc2.exe"C:\Users\Admin\AppData\Local\Temp\d1a00e18217db0c01b1cd575a9bb720826bd5241c9602270a40dc881dd22fdc2.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Users\Admin\AppData\Local\Temp\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\Temp\1.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7D33.tmp\¸´¼þ 1.bat""3⤵PID:3472
-
-
-
C:\Users\Admin\AppData\Local\Temp\Temp\¸´¼þ 1.exe"C:\Users\Admin\AppData\Local\Temp\Temp\¸´¼þ 1.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7D34.tmp\¸´¼þ 1.bat""3⤵PID:4116
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
505B
MD5cfcc003c9f8d381cb60b014be22c7720
SHA1729d783f61cdd9d88da7501960ef951c656c19e4
SHA25642c3b47325f14435f4088354b9e62d4393e7396fa06027c1f5d5f0bb686a47de
SHA512737eba80ec7a2d364a0e1711522f1eaa2a655b6758f920013a6308e4861609b23a13903e62750158dec794dd83eadd95c9065b8dc32f738cd89e141964e8cb6d
-
Filesize
505B
MD5cfcc003c9f8d381cb60b014be22c7720
SHA1729d783f61cdd9d88da7501960ef951c656c19e4
SHA25642c3b47325f14435f4088354b9e62d4393e7396fa06027c1f5d5f0bb686a47de
SHA512737eba80ec7a2d364a0e1711522f1eaa2a655b6758f920013a6308e4861609b23a13903e62750158dec794dd83eadd95c9065b8dc32f738cd89e141964e8cb6d
-
Filesize
64KB
MD5d69c7510720d46f81e1b820b3da51124
SHA1dc8ec58e3487f320b56899bfd7d8148e5d884af6
SHA256dfc80597a5e79bdeddbfce4898527e5285b9984f0b25507df3c9ea6271336922
SHA512c8ecf8ecc998896e2da8f8d692496671292821bd7e566317f2da082c2a8219ef6d3210cce2372caeb2dc9af766352654d81ad33cfe0ac76298dad0e62d4f3a2c
-
Filesize
64KB
MD5d69c7510720d46f81e1b820b3da51124
SHA1dc8ec58e3487f320b56899bfd7d8148e5d884af6
SHA256dfc80597a5e79bdeddbfce4898527e5285b9984f0b25507df3c9ea6271336922
SHA512c8ecf8ecc998896e2da8f8d692496671292821bd7e566317f2da082c2a8219ef6d3210cce2372caeb2dc9af766352654d81ad33cfe0ac76298dad0e62d4f3a2c
-
Filesize
64KB
MD5d69c7510720d46f81e1b820b3da51124
SHA1dc8ec58e3487f320b56899bfd7d8148e5d884af6
SHA256dfc80597a5e79bdeddbfce4898527e5285b9984f0b25507df3c9ea6271336922
SHA512c8ecf8ecc998896e2da8f8d692496671292821bd7e566317f2da082c2a8219ef6d3210cce2372caeb2dc9af766352654d81ad33cfe0ac76298dad0e62d4f3a2c
-
Filesize
64KB
MD5d69c7510720d46f81e1b820b3da51124
SHA1dc8ec58e3487f320b56899bfd7d8148e5d884af6
SHA256dfc80597a5e79bdeddbfce4898527e5285b9984f0b25507df3c9ea6271336922
SHA512c8ecf8ecc998896e2da8f8d692496671292821bd7e566317f2da082c2a8219ef6d3210cce2372caeb2dc9af766352654d81ad33cfe0ac76298dad0e62d4f3a2c