Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
159s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02/12/2022, 23:34
Behavioral task
behavioral1
Sample
a3282d2d782635c0a83c86b082dbdff29ac24f3c9e5d6e80e3f2c0e76bcdc528.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a3282d2d782635c0a83c86b082dbdff29ac24f3c9e5d6e80e3f2c0e76bcdc528.exe
Resource
win10v2004-20220812-en
General
-
Target
a3282d2d782635c0a83c86b082dbdff29ac24f3c9e5d6e80e3f2c0e76bcdc528.exe
-
Size
6KB
-
MD5
8b3525a7abe5d1a226730c4aeb73526c
-
SHA1
e5f375e318eef59fff41ddeca99c3897fb05544e
-
SHA256
a3282d2d782635c0a83c86b082dbdff29ac24f3c9e5d6e80e3f2c0e76bcdc528
-
SHA512
82a7de5239de78573037099a1135bc81d5fe0d3b1800c81fae0ba4bb5b88a0f95f0bd23f04d40135ffee4806031fbce9e0a1173dd80632c8d49f3742cd99b210
-
SSDEEP
96:8ZKmoW3LVeBHQGn6SZUqTNms7s8PFsBVWJpbBHa0roOQL2ADnYQghbI4:8s2bwHQibcsQEhfFa0rML/Ahc
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\conime.exe" a3282d2d782635c0a83c86b082dbdff29ac24f3c9e5d6e80e3f2c0e76bcdc528.exe -
Executes dropped EXE 1 IoCs
pid Process 3604 conime.exe -
resource yara_rule behavioral2/memory/4716-132-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/files/0x0006000000022e47-137.dat upx behavioral2/files/0x0006000000022e47-136.dat upx behavioral2/memory/4716-138-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3604-139-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation a3282d2d782635c0a83c86b082dbdff29ac24f3c9e5d6e80e3f2c0e76bcdc528.exe -
Loads dropped DLL 1 IoCs
pid Process 3604 conime.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\USBhelp.dll conime.exe File opened for modification C:\Windows\SysWOW64\USBhelp.dll conime.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\system\conime.exe a3282d2d782635c0a83c86b082dbdff29ac24f3c9e5d6e80e3f2c0e76bcdc528.exe File opened for modification C:\Windows\system\conime.exe a3282d2d782635c0a83c86b082dbdff29ac24f3c9e5d6e80e3f2c0e76bcdc528.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe 3604 conime.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3604 conime.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4716 wrote to memory of 2020 4716 a3282d2d782635c0a83c86b082dbdff29ac24f3c9e5d6e80e3f2c0e76bcdc528.exe 79 PID 4716 wrote to memory of 2020 4716 a3282d2d782635c0a83c86b082dbdff29ac24f3c9e5d6e80e3f2c0e76bcdc528.exe 79 PID 4716 wrote to memory of 2020 4716 a3282d2d782635c0a83c86b082dbdff29ac24f3c9e5d6e80e3f2c0e76bcdc528.exe 79 PID 4716 wrote to memory of 3604 4716 a3282d2d782635c0a83c86b082dbdff29ac24f3c9e5d6e80e3f2c0e76bcdc528.exe 81 PID 4716 wrote to memory of 3604 4716 a3282d2d782635c0a83c86b082dbdff29ac24f3c9e5d6e80e3f2c0e76bcdc528.exe 81 PID 4716 wrote to memory of 3604 4716 a3282d2d782635c0a83c86b082dbdff29ac24f3c9e5d6e80e3f2c0e76bcdc528.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3282d2d782635c0a83c86b082dbdff29ac24f3c9e5d6e80e3f2c0e76bcdc528.exe"C:\Users\Admin\AppData\Local\Temp\a3282d2d782635c0a83c86b082dbdff29ac24f3c9e5d6e80e3f2c0e76bcdc528.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\test.bat2⤵PID:2020
-
-
C:\Windows\system\conime.exe"C:\Windows\system\conime.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:3604
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5e0e12856ca90be7f5ab8dfc0f0313078
SHA1cc5accf48b8e6c2fd39d1f800229cdbb54305518
SHA25681ec3e3c98e5f0af0dca21b9f08f2be445b46df2ca2354eaf3523bddcb125619
SHA512162c56367dca2291117f2391951970273969518b0db2bbc5d51c458173a8028c88d9dfd93aef01ed05b369f953e2953cc6be252daeb17556dbc33e5383900fa6
-
Filesize
6KB
MD58b3525a7abe5d1a226730c4aeb73526c
SHA1e5f375e318eef59fff41ddeca99c3897fb05544e
SHA256a3282d2d782635c0a83c86b082dbdff29ac24f3c9e5d6e80e3f2c0e76bcdc528
SHA51282a7de5239de78573037099a1135bc81d5fe0d3b1800c81fae0ba4bb5b88a0f95f0bd23f04d40135ffee4806031fbce9e0a1173dd80632c8d49f3742cd99b210
-
Filesize
6KB
MD58b3525a7abe5d1a226730c4aeb73526c
SHA1e5f375e318eef59fff41ddeca99c3897fb05544e
SHA256a3282d2d782635c0a83c86b082dbdff29ac24f3c9e5d6e80e3f2c0e76bcdc528
SHA51282a7de5239de78573037099a1135bc81d5fe0d3b1800c81fae0ba4bb5b88a0f95f0bd23f04d40135ffee4806031fbce9e0a1173dd80632c8d49f3742cd99b210
-
Filesize
249B
MD5d64e0fcf3736cd91c9240d168c43d9a6
SHA1ec499509d39e246354092d728bc9ecd981d1bbd5
SHA256f322146ebfffab7d257c38e3ef5768cf859ac592bfa9229ad9de0a698f877a59
SHA512ecdf2f7c2e5a8840c8db1a8840803daa472412c488d5cbfb8e93bf7be5fcfed59a53d37b61aa8c65ff301c89715e4f61d19f964ef47cadf8e677f1d1de3cd8b4