Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
160s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02/12/2022, 21:44
Static task
static1
Behavioral task
behavioral1
Sample
6f0cacf34faba49af88f975b76c66d72d1c21928e35b0d6983df86ad8c22a2bc.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6f0cacf34faba49af88f975b76c66d72d1c21928e35b0d6983df86ad8c22a2bc.exe
Resource
win10v2004-20220812-en
General
-
Target
6f0cacf34faba49af88f975b76c66d72d1c21928e35b0d6983df86ad8c22a2bc.exe
-
Size
76KB
-
MD5
48230377eef1133712c3945b551890d9
-
SHA1
264f853961120c4166d215ed08675b55247d10de
-
SHA256
6f0cacf34faba49af88f975b76c66d72d1c21928e35b0d6983df86ad8c22a2bc
-
SHA512
8cb30fdfa17ec17898b3138519aff055874b7d5c2d457242cffae91a045f1c361ec65c4d038b3b47eb658162b55b3980a477c3b6a27b0955e0ecef6e2e434b3c
-
SSDEEP
1536:ULXB65939tY6HBg4sXJlb36UJVq2PBbYOQ+38Xx/9t/jKISm0qHWZ:ULk395hYXJ93F8OQK8Xxb7rSeE
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 11 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0006000000022e20-142.dat acprotect behavioral2/files/0x0006000000022e20-143.dat acprotect behavioral2/files/0x0008000000022e18-148.dat acprotect behavioral2/files/0x0008000000022e18-149.dat acprotect behavioral2/files/0x0006000000022e20-150.dat acprotect behavioral2/files/0x0006000000022e20-151.dat acprotect behavioral2/files/0x0006000000022e20-156.dat acprotect behavioral2/files/0x0008000000022e18-160.dat acprotect behavioral2/files/0x0008000000022e18-161.dat acprotect behavioral2/files/0x0006000000022e20-162.dat acprotect behavioral2/files/0x0006000000022e20-163.dat acprotect -
Executes dropped EXE 3 IoCs
pid Process 4952 fzwg.exe 4132 wsafe.exe 2732 9520.tmp -
resource yara_rule behavioral2/files/0x0006000000022e20-142.dat upx behavioral2/files/0x0006000000022e20-143.dat upx behavioral2/memory/3480-146-0x0000000010000000-0x000000001001F000-memory.dmp upx behavioral2/files/0x0008000000022e18-148.dat upx behavioral2/files/0x0008000000022e18-149.dat upx behavioral2/files/0x0006000000022e20-150.dat upx behavioral2/files/0x0006000000022e20-151.dat upx behavioral2/memory/508-153-0x0000000010000000-0x000000001001F000-memory.dmp upx behavioral2/memory/508-154-0x0000000002650000-0x000000000266F000-memory.dmp upx behavioral2/files/0x0006000000022e20-156.dat upx behavioral2/memory/508-157-0x0000000010000000-0x000000001001F000-memory.dmp upx behavioral2/memory/508-158-0x0000000002650000-0x000000000266F000-memory.dmp upx behavioral2/files/0x0008000000022e18-160.dat upx behavioral2/files/0x0008000000022e18-161.dat upx behavioral2/files/0x0006000000022e20-162.dat upx behavioral2/files/0x0006000000022e20-163.dat upx behavioral2/memory/4692-164-0x0000000010000000-0x000000001001F000-memory.dmp upx behavioral2/memory/3480-165-0x0000000010000000-0x000000001001F000-memory.dmp upx behavioral2/memory/3300-166-0x0000000010000000-0x000000001001F000-memory.dmp upx behavioral2/memory/3300-167-0x0000000002BF0000-0x0000000002C0F000-memory.dmp upx behavioral2/memory/3300-168-0x0000000002BF0000-0x0000000002C0F000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 6f0cacf34faba49af88f975b76c66d72d1c21928e35b0d6983df86ad8c22a2bc.exe -
Loads dropped DLL 8 IoCs
pid Process 3480 rundll32.exe 508 rundll32.exe 508 rundll32.exe 508 rundll32.exe 4692 rundll32.exe 3300 rundll32.exe 3300 rundll32.exe 3300 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{F69EB73C-700A-42c9-8F9D-E8C4ABC27EF3} = "C:\\ProgramData\\360data\\b8903ac3.z,1328351113,334364683,-1814625877" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{F69EB73C-700A-42c9-8F9D-E8C4ABC27EF3} = "C:\\ProgramData\\360data\\b8903ac3.z,1328351113,334364683,-1814625877" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4952 fzwg.exe 4952 fzwg.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 396 wrote to memory of 4952 396 6f0cacf34faba49af88f975b76c66d72d1c21928e35b0d6983df86ad8c22a2bc.exe 79 PID 396 wrote to memory of 4952 396 6f0cacf34faba49af88f975b76c66d72d1c21928e35b0d6983df86ad8c22a2bc.exe 79 PID 396 wrote to memory of 4952 396 6f0cacf34faba49af88f975b76c66d72d1c21928e35b0d6983df86ad8c22a2bc.exe 79 PID 396 wrote to memory of 4132 396 6f0cacf34faba49af88f975b76c66d72d1c21928e35b0d6983df86ad8c22a2bc.exe 80 PID 396 wrote to memory of 4132 396 6f0cacf34faba49af88f975b76c66d72d1c21928e35b0d6983df86ad8c22a2bc.exe 80 PID 396 wrote to memory of 4132 396 6f0cacf34faba49af88f975b76c66d72d1c21928e35b0d6983df86ad8c22a2bc.exe 80 PID 4132 wrote to memory of 2732 4132 wsafe.exe 81 PID 4132 wrote to memory of 2732 4132 wsafe.exe 81 PID 4132 wrote to memory of 2732 4132 wsafe.exe 81 PID 2732 wrote to memory of 3480 2732 9520.tmp 82 PID 2732 wrote to memory of 3480 2732 9520.tmp 82 PID 2732 wrote to memory of 3480 2732 9520.tmp 82 PID 3480 wrote to memory of 508 3480 rundll32.exe 83 PID 3480 wrote to memory of 508 3480 rundll32.exe 83 PID 3480 wrote to memory of 508 3480 rundll32.exe 83 PID 3480 wrote to memory of 4800 3480 rundll32.exe 84 PID 3480 wrote to memory of 4800 3480 rundll32.exe 84 PID 4800 wrote to memory of 4692 4800 RunDll32.exe 85 PID 4800 wrote to memory of 4692 4800 RunDll32.exe 85 PID 4800 wrote to memory of 4692 4800 RunDll32.exe 85 PID 4692 wrote to memory of 3300 4692 rundll32.exe 86 PID 4692 wrote to memory of 3300 4692 rundll32.exe 86 PID 4692 wrote to memory of 3300 4692 rundll32.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f0cacf34faba49af88f975b76c66d72d1c21928e35b0d6983df86ad8c22a2bc.exe"C:\Users\Admin\AppData\Local\Temp\6f0cacf34faba49af88f975b76c66d72d1c21928e35b0d6983df86ad8c22a2bc.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Users\Admin\AppData\Local\Temp\fzwg.exe"C:\Users\Admin\AppData\Local\Temp\fzwg.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4952
-
-
C:\Users\Admin\AppData\Local\Temp\wsafe.exe"C:\Users\Admin\AppData\Local\Temp\wsafe.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Users\Admin\AppData\Local\Temp\9520.tmp"C:\Users\Admin\AppData\Local\Temp\9520.tmp" "C:\Users\Admin\AppData\Local\Temp\wsafe.exe" "4132"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\rundll32.exerundll32 shell32,Control_RunDLL "C:\ProgramData\360data\b8903ac3.z"4⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SysWOW64\rundll32.exerundll32 "C:\ProgramData\360data\operar32.dll",_RunAs@165⤵
- Loads dropped DLL
PID:508
-
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\ProgramData\360data\b8903ac3.z"5⤵
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\ProgramData\360data\b8903ac3.z"6⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\rundll32.exerundll32 "C:\ProgramData\360data\operar32.dll",_RunAs@167⤵
- Loads dropped DLL
PID:3300
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD5778b13f6bd733b0f62b2a7852b15400b
SHA1922db497cfd067b3d9560804f6b8c638ea2e6bb2
SHA25639b2832c88c91bc726f47fde3257815a17fdbf89a91357965993b7abefdd2731
SHA5127a894607d8f7888d032083a1c39952b1d7e8afb6f604d5643118de40d0abbe6d4702a53c73f202b08a83871a350ac03a2b195049b26612a3455ca0def0e9f54c
-
Filesize
33KB
MD5778b13f6bd733b0f62b2a7852b15400b
SHA1922db497cfd067b3d9560804f6b8c638ea2e6bb2
SHA25639b2832c88c91bc726f47fde3257815a17fdbf89a91357965993b7abefdd2731
SHA5127a894607d8f7888d032083a1c39952b1d7e8afb6f604d5643118de40d0abbe6d4702a53c73f202b08a83871a350ac03a2b195049b26612a3455ca0def0e9f54c
-
Filesize
33KB
MD5778b13f6bd733b0f62b2a7852b15400b
SHA1922db497cfd067b3d9560804f6b8c638ea2e6bb2
SHA25639b2832c88c91bc726f47fde3257815a17fdbf89a91357965993b7abefdd2731
SHA5127a894607d8f7888d032083a1c39952b1d7e8afb6f604d5643118de40d0abbe6d4702a53c73f202b08a83871a350ac03a2b195049b26612a3455ca0def0e9f54c
-
Filesize
33KB
MD5778b13f6bd733b0f62b2a7852b15400b
SHA1922db497cfd067b3d9560804f6b8c638ea2e6bb2
SHA25639b2832c88c91bc726f47fde3257815a17fdbf89a91357965993b7abefdd2731
SHA5127a894607d8f7888d032083a1c39952b1d7e8afb6f604d5643118de40d0abbe6d4702a53c73f202b08a83871a350ac03a2b195049b26612a3455ca0def0e9f54c
-
Filesize
33KB
MD5778b13f6bd733b0f62b2a7852b15400b
SHA1922db497cfd067b3d9560804f6b8c638ea2e6bb2
SHA25639b2832c88c91bc726f47fde3257815a17fdbf89a91357965993b7abefdd2731
SHA5127a894607d8f7888d032083a1c39952b1d7e8afb6f604d5643118de40d0abbe6d4702a53c73f202b08a83871a350ac03a2b195049b26612a3455ca0def0e9f54c
-
Filesize
33KB
MD5778b13f6bd733b0f62b2a7852b15400b
SHA1922db497cfd067b3d9560804f6b8c638ea2e6bb2
SHA25639b2832c88c91bc726f47fde3257815a17fdbf89a91357965993b7abefdd2731
SHA5127a894607d8f7888d032083a1c39952b1d7e8afb6f604d5643118de40d0abbe6d4702a53c73f202b08a83871a350ac03a2b195049b26612a3455ca0def0e9f54c
-
Filesize
33KB
MD5778b13f6bd733b0f62b2a7852b15400b
SHA1922db497cfd067b3d9560804f6b8c638ea2e6bb2
SHA25639b2832c88c91bc726f47fde3257815a17fdbf89a91357965993b7abefdd2731
SHA5127a894607d8f7888d032083a1c39952b1d7e8afb6f604d5643118de40d0abbe6d4702a53c73f202b08a83871a350ac03a2b195049b26612a3455ca0def0e9f54c
-
Filesize
33KB
MD5778b13f6bd733b0f62b2a7852b15400b
SHA1922db497cfd067b3d9560804f6b8c638ea2e6bb2
SHA25639b2832c88c91bc726f47fde3257815a17fdbf89a91357965993b7abefdd2731
SHA5127a894607d8f7888d032083a1c39952b1d7e8afb6f604d5643118de40d0abbe6d4702a53c73f202b08a83871a350ac03a2b195049b26612a3455ca0def0e9f54c
-
Filesize
33KB
MD5778b13f6bd733b0f62b2a7852b15400b
SHA1922db497cfd067b3d9560804f6b8c638ea2e6bb2
SHA25639b2832c88c91bc726f47fde3257815a17fdbf89a91357965993b7abefdd2731
SHA5127a894607d8f7888d032083a1c39952b1d7e8afb6f604d5643118de40d0abbe6d4702a53c73f202b08a83871a350ac03a2b195049b26612a3455ca0def0e9f54c
-
Filesize
33KB
MD5778b13f6bd733b0f62b2a7852b15400b
SHA1922db497cfd067b3d9560804f6b8c638ea2e6bb2
SHA25639b2832c88c91bc726f47fde3257815a17fdbf89a91357965993b7abefdd2731
SHA5127a894607d8f7888d032083a1c39952b1d7e8afb6f604d5643118de40d0abbe6d4702a53c73f202b08a83871a350ac03a2b195049b26612a3455ca0def0e9f54c
-
Filesize
33KB
MD5778b13f6bd733b0f62b2a7852b15400b
SHA1922db497cfd067b3d9560804f6b8c638ea2e6bb2
SHA25639b2832c88c91bc726f47fde3257815a17fdbf89a91357965993b7abefdd2731
SHA5127a894607d8f7888d032083a1c39952b1d7e8afb6f604d5643118de40d0abbe6d4702a53c73f202b08a83871a350ac03a2b195049b26612a3455ca0def0e9f54c
-
Filesize
39KB
MD5c2b31b3ccb5a4ff1b546eff12835a14e
SHA1a7aa54d3ff74c1c8b8c701df985d7cb903c70770
SHA2560e7864e7531f48c21264f85bba075615bc250693b50e89287747c961fb837cf0
SHA5120be1271ba6e0ca3957d51be38a558d2aac8a2e4f427cb8e0d924313f08a8d6ea12f3a69cf28ec0ae5dd6855bc706a584e16ca3b3482fd64cad18091ca613a3ce
-
Filesize
39KB
MD5c2b31b3ccb5a4ff1b546eff12835a14e
SHA1a7aa54d3ff74c1c8b8c701df985d7cb903c70770
SHA2560e7864e7531f48c21264f85bba075615bc250693b50e89287747c961fb837cf0
SHA5120be1271ba6e0ca3957d51be38a558d2aac8a2e4f427cb8e0d924313f08a8d6ea12f3a69cf28ec0ae5dd6855bc706a584e16ca3b3482fd64cad18091ca613a3ce
-
Filesize
48KB
MD58fa3b84b97ecb168ebee8c94ed3e4908
SHA1d200951fc47ecc8669bc4b1abdce8156c81c58af
SHA256e02f4d186f740586f3d356db7bbbf3e69d3e78f4983598a7555be9cb720fbb50
SHA5125a5d96b5c64043a2b60a5d646283497dc115e25c82f93261fed02583718eef85772024437b81f85f558d4302bbd5e738d37aa2ffb938f2eb9967ba0c7f72c500
-
Filesize
48KB
MD58fa3b84b97ecb168ebee8c94ed3e4908
SHA1d200951fc47ecc8669bc4b1abdce8156c81c58af
SHA256e02f4d186f740586f3d356db7bbbf3e69d3e78f4983598a7555be9cb720fbb50
SHA5125a5d96b5c64043a2b60a5d646283497dc115e25c82f93261fed02583718eef85772024437b81f85f558d4302bbd5e738d37aa2ffb938f2eb9967ba0c7f72c500
-
Filesize
39KB
MD5c2b31b3ccb5a4ff1b546eff12835a14e
SHA1a7aa54d3ff74c1c8b8c701df985d7cb903c70770
SHA2560e7864e7531f48c21264f85bba075615bc250693b50e89287747c961fb837cf0
SHA5120be1271ba6e0ca3957d51be38a558d2aac8a2e4f427cb8e0d924313f08a8d6ea12f3a69cf28ec0ae5dd6855bc706a584e16ca3b3482fd64cad18091ca613a3ce
-
Filesize
39KB
MD5c2b31b3ccb5a4ff1b546eff12835a14e
SHA1a7aa54d3ff74c1c8b8c701df985d7cb903c70770
SHA2560e7864e7531f48c21264f85bba075615bc250693b50e89287747c961fb837cf0
SHA5120be1271ba6e0ca3957d51be38a558d2aac8a2e4f427cb8e0d924313f08a8d6ea12f3a69cf28ec0ae5dd6855bc706a584e16ca3b3482fd64cad18091ca613a3ce