Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

80d92ce687...f7.exe

windows7-x64

8

80d92ce687...f7.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    152s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/12/2022, 17:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    80d92ce6870c14705cad6772fd213fb2db3a7ae2e22a9cc57c3e33607603d4f7.exe

  • Size

    173KB

  • MD5

    ebb1ba2ee98688a8fb136e6922d36149

  • SHA1

    787f0c098f82793cd5c236da41de1453bb965b5a

  • SHA256

    80d92ce6870c14705cad6772fd213fb2db3a7ae2e22a9cc57c3e33607603d4f7

  • SHA512

    3a3caa902507a80bf136987d5c586a4d68e8f03e2a1b935a01dfa5b7ff01524aeea6deddb2cbf2b69f7b358f02277ac85cc0b9165a90a4c9c493044a7fe7cc26

  • SSDEEP

    3072:X4lRkAehGfzmuqTPryFsYax1o9Yh+ZHAzfPZ7Xy4bHlAIyHUQ:X4lRkAehaKuqT+FsYa5+OPNi4Z8

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\80d92ce6870c14705cad6772fd213fb2db3a7ae2e22a9cc57c3e33607603d4f7.exe
    "C:\Users\Admin\AppData\Local\Temp\80d92ce6870c14705cad6772fd213fb2db3a7ae2e22a9cc57c3e33607603d4f7.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2640
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\78hjHG.cmd" "
      2⤵
      • Drops file in Drivers directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:5072
      • C:\Windows\SysWOW64\attrib.exe
        attrib -A -H -S -R hosts
        3⤵
        • Views/modifies file attributes
        PID:2764
      • C:\Windows\SysWOW64\attrib.exe
        attrib +S +H +R hosts
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:320
      • C:\Windows\SysWOW64\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /ve /d "vbGH43.exe" /f
        3⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:4660

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\78hjHG.cmd
    Filesize

    424B

    MD5

    5ee2b3c2ec0e379e12c4d8242a5fb350

    SHA1

    be8f7a06dee09e906aa64595873b579ca89955fa

    SHA256

    e3391d741ba7f8ba9208003bec615ed52e02cdfc33c9ee4635011b4cef007d0b

    SHA512

    12ed52d19abedc93ec057251b4a9a21f7bfde532d68dd5f1ffdec46ed96bf757304ab310e6fd948351348dd0c6ec89a621a6aeb02aed9020ef49670496f54192

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vbGH43.exe
    Filesize

    100KB

    MD5

    84def025e483423d3b8431a3e1eb6a95

    SHA1

    28dd6e10c85958334a18b02f835fe8358941afd6

    SHA256

    7f8cecb48badfd674bcae781161a87e69e52407eac3e2bae9c6555d16dce4773

    SHA512

    e1477f7f22fefddf92c287632e0f7b7f22a4fa2506f13f13064dc97b2c3bd0ebaf1b1440a200b76f1ad93ec98a3c652c2fc2a6af9ae2e5b3bfe6aa41f087a969

    Download Submit