Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 20:49
Static task
static1
Behavioral task
behavioral1
Sample
96ae90c073908db668a64e3a48f64cfc523e87e711d5a843121f1bbd02dd1bbe.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
96ae90c073908db668a64e3a48f64cfc523e87e711d5a843121f1bbd02dd1bbe.exe
Resource
win10v2004-20220901-en
General
-
Target
96ae90c073908db668a64e3a48f64cfc523e87e711d5a843121f1bbd02dd1bbe.exe
-
Size
84KB
-
MD5
5e15e32dc406f3ff5d133554ff664d85
-
SHA1
d3aedb0f45c0a4f3f51ecff369af80899ffdd068
-
SHA256
96ae90c073908db668a64e3a48f64cfc523e87e711d5a843121f1bbd02dd1bbe
-
SHA512
01f4357d1485e51f63bb2e265bb63471826f59bd8d0b6382531d7903d73dd9c80eaab48bab76fb990845d61dcd771358ef9890dd7b0ccd45167c8df4a6699c87
-
SSDEEP
1536:6bLrLRMz0eMz3Rf+Yly6Erx2bgg0h4aUmsKdEt1ZdcC:6bLfR7z3d++EAgPhLsh1w
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 96ae90c073908db668a64e3a48f64cfc523e87e711d5a843121f1bbd02dd1bbe.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A665128486.exe 96ae90c073908db668a64e3a48f64cfc523e87e711d5a843121f1bbd02dd1bbe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A665128486.exe 96ae90c073908db668a64e3a48f64cfc523e87e711d5a843121f1bbd02dd1bbe.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\A665128486 = "C:\\Users\\Admin\\AppData\\Roaming\\A665128486.exe" 96ae90c073908db668a64e3a48f64cfc523e87e711d5a843121f1bbd02dd1bbe.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\A665128486 = "C:\\Users\\Admin\\AppData\\Roaming\\A665128486.exe" 96ae90c073908db668a64e3a48f64cfc523e87e711d5a843121f1bbd02dd1bbe.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\A665128486 = "C:\\Users\\Admin\\AppData\\Roaming\\A665128486.exe" 96ae90c073908db668a64e3a48f64cfc523e87e711d5a843121f1bbd02dd1bbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\A665128486 = "C:\\Users\\Admin\\AppData\\Roaming\\A665128486.exe" 96ae90c073908db668a64e3a48f64cfc523e87e711d5a843121f1bbd02dd1bbe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2952 schtasks.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 400 wrote to memory of 3752 400 96ae90c073908db668a64e3a48f64cfc523e87e711d5a843121f1bbd02dd1bbe.exe 82 PID 400 wrote to memory of 3752 400 96ae90c073908db668a64e3a48f64cfc523e87e711d5a843121f1bbd02dd1bbe.exe 82 PID 400 wrote to memory of 3752 400 96ae90c073908db668a64e3a48f64cfc523e87e711d5a843121f1bbd02dd1bbe.exe 82 PID 3752 wrote to memory of 2952 3752 cmd.exe 84 PID 3752 wrote to memory of 2952 3752 cmd.exe 84 PID 3752 wrote to memory of 2952 3752 cmd.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\96ae90c073908db668a64e3a48f64cfc523e87e711d5a843121f1bbd02dd1bbe.exe"C:\Users\Admin\AppData\Local\Temp\96ae90c073908db668a64e3a48f64cfc523e87e711d5a843121f1bbd02dd1bbe.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\sttemp665128486.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC ONLOGON /TN "A665128486" /TR "C:\Users\Admin\AppData\Roaming\A665128486.exe"3⤵
- Creates scheduled task(s)
PID:2952
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
165B
MD59e136b33c3c1e6c7cb212098c9c717f4
SHA167e71bc959eb841270a46c7f5a2d71dac054e9df
SHA256d525653330a01f5a3fe1a4c3804c546669447c8c5deb52f264fde31f5aa6c324
SHA5123c3e3f77863e59fa39e8df64bc59b36af8aec153a65d1dce3a1ab5579c2904e7a47c60b6315abe5b008a321d19990aeea5824a1ec61c02d857ba7d29f8b56e92