Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02/12/2022, 23:56
Static task
static1
Behavioral task
behavioral1
Sample
58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe
Resource
win10v2004-20220812-en
General
-
Target
58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe
-
Size
685KB
-
MD5
95b51c28ce2f926b597bdf572250cd90
-
SHA1
18bece471bcd283e76c7e28c3c6a5eda59b20d8f
-
SHA256
58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423
-
SHA512
93008f0d344a71e5e9f357e8b90d5a0e7d925c596549f346df9e0b82d96a984e98bde0147bcb4a7b104bab620322336686ab97061c425183d91367c89b7415ec
-
SSDEEP
12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 256 sumicey.exe 224 ~DFA241.tmp 848 evgezey.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation ~DFA241.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 848 evgezey.exe 848 evgezey.exe 848 evgezey.exe 848 evgezey.exe 848 evgezey.exe 848 evgezey.exe 848 evgezey.exe 848 evgezey.exe 848 evgezey.exe 848 evgezey.exe 848 evgezey.exe 848 evgezey.exe 848 evgezey.exe 848 evgezey.exe 848 evgezey.exe 848 evgezey.exe 848 evgezey.exe 848 evgezey.exe 848 evgezey.exe 848 evgezey.exe 848 evgezey.exe 848 evgezey.exe 848 evgezey.exe 848 evgezey.exe 848 evgezey.exe 848 evgezey.exe 848 evgezey.exe 848 evgezey.exe 848 evgezey.exe 848 evgezey.exe 848 evgezey.exe 848 evgezey.exe 848 evgezey.exe 848 evgezey.exe 848 evgezey.exe 848 evgezey.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 224 ~DFA241.tmp -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2544 wrote to memory of 256 2544 58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe 80 PID 2544 wrote to memory of 256 2544 58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe 80 PID 2544 wrote to memory of 256 2544 58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe 80 PID 256 wrote to memory of 224 256 sumicey.exe 81 PID 256 wrote to memory of 224 256 sumicey.exe 81 PID 256 wrote to memory of 224 256 sumicey.exe 81 PID 2544 wrote to memory of 3152 2544 58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe 82 PID 2544 wrote to memory of 3152 2544 58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe 82 PID 2544 wrote to memory of 3152 2544 58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe 82 PID 224 wrote to memory of 848 224 ~DFA241.tmp 86 PID 224 wrote to memory of 848 224 ~DFA241.tmp 86 PID 224 wrote to memory of 848 224 ~DFA241.tmp 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe"C:\Users\Admin\AppData\Local\Temp\58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\sumicey.exeC:\Users\Admin\AppData\Local\Temp\sumicey.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:256 -
C:\Users\Admin\AppData\Local\Temp\~DFA241.tmpC:\Users\Admin\AppData\Local\Temp\~DFA241.tmp OK3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Users\Admin\AppData\Local\Temp\evgezey.exe"C:\Users\Admin\AppData\Local\Temp\evgezey.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:848
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "2⤵PID:3152
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
341B
MD512c73c2dd7c93f9ec2cf31e3cf281cad
SHA189d568ae53426e646438e65d7cb143198aaa2177
SHA256b7844fc53a2e3a1b7d556a889350f817735ce24979dcfb3993cfa75f191509a4
SHA512100084c08a23c5c4da2502ba745504747e2d32714c6eb50a90a78e4e6abccac5b97e10bac719784b66406cefd34584ba47b802c28be10f172230ea39d636a90e
-
Filesize
408KB
MD5dc1be1b5c039eae0b396cfddaa7614f2
SHA134f1747652b7717650c8004ef0695f90a97a72b9
SHA256cef156ea9ce1b50a04ddb602c43a7b96bf70af4202d44edaa28c41057dc7f23e
SHA51201c0785863a9a9de049649f09ccdaf1eb9f139a2dcdd9c7a49d967d214afb61324abe6c3196e61cef7614ba0ffc04fd9ccc23fab39a2c9103de72a3b0104fa2b
-
Filesize
408KB
MD5dc1be1b5c039eae0b396cfddaa7614f2
SHA134f1747652b7717650c8004ef0695f90a97a72b9
SHA256cef156ea9ce1b50a04ddb602c43a7b96bf70af4202d44edaa28c41057dc7f23e
SHA51201c0785863a9a9de049649f09ccdaf1eb9f139a2dcdd9c7a49d967d214afb61324abe6c3196e61cef7614ba0ffc04fd9ccc23fab39a2c9103de72a3b0104fa2b
-
Filesize
104B
MD586bb2dbeaef655893262f3c041f6afe2
SHA11b26ff1241c1353bd506c18bd0c11878076ba65d
SHA2564a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2
SHA51258294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31
-
Filesize
480B
MD56faada61308f1a6914e502d0b69cb4fd
SHA1987dee6beb0d10a14fd23e84360743c545f0bdfb
SHA256940abc4b2be043bab1fde1a821150a09811bde6090eb45d284dcb0a26e4a5790
SHA5125c06d49f4f6a093f2e4caeb80056315304c18c6904967fc47267e8a342ac2d5708d2b3defa1a780ee28efff808c8c4e57a26fabe6a4dc53f429c6eda0770f8e4
-
Filesize
692KB
MD5869ee54f2c59ef25b1f3345a0b652e89
SHA1a229f1dffd9004c6d794026d99e48934efb3e575
SHA256820e56f7cdaac68699130ba2b6343b51e88046684936db41ef5e1982b169b68c
SHA512819dba3a90c188585a832e3eeb232b37fb5f5646b246a40f056c553a38ca0549d743dd2b5eebb43786efc921c59eb450acd3354a6e376611dae9bef72ae1448f
-
Filesize
692KB
MD5869ee54f2c59ef25b1f3345a0b652e89
SHA1a229f1dffd9004c6d794026d99e48934efb3e575
SHA256820e56f7cdaac68699130ba2b6343b51e88046684936db41ef5e1982b169b68c
SHA512819dba3a90c188585a832e3eeb232b37fb5f5646b246a40f056c553a38ca0549d743dd2b5eebb43786efc921c59eb450acd3354a6e376611dae9bef72ae1448f
-
Filesize
699KB
MD583594760b8f64d374372cb26ca7e078b
SHA16ae3da5579b7c9c8963862ff3a2f2404c9d5d784
SHA256dd8340de7b6f7de800b223e2399529c9792a24de6f019d6c7b5844a7d843d541
SHA512faedc9beed0a516fe5530d82be69d5d62efab0600fc90d104ed1e4925464c338ad6646c10b624ac5eea674017022cd351562d85bffab6f969136fdd200edc806
-
Filesize
699KB
MD583594760b8f64d374372cb26ca7e078b
SHA16ae3da5579b7c9c8963862ff3a2f2404c9d5d784
SHA256dd8340de7b6f7de800b223e2399529c9792a24de6f019d6c7b5844a7d843d541
SHA512faedc9beed0a516fe5530d82be69d5d62efab0600fc90d104ed1e4925464c338ad6646c10b624ac5eea674017022cd351562d85bffab6f969136fdd200edc806