Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03/12/2022, 04:28
Static task
static1
Behavioral task
behavioral1
Sample
cf8d0ce47fd80e76eb2dc258027fed76904766ef5c7ffdc142152c8e84c5dc6a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
cf8d0ce47fd80e76eb2dc258027fed76904766ef5c7ffdc142152c8e84c5dc6a.exe
Resource
win10v2004-20220812-en
General
-
Target
cf8d0ce47fd80e76eb2dc258027fed76904766ef5c7ffdc142152c8e84c5dc6a.exe
-
Size
52KB
-
MD5
557fad251a7f9cfc4457138c5fcc56f0
-
SHA1
2ac6f05b6f24c0baaa18524bdee4d3f8fd087912
-
SHA256
cf8d0ce47fd80e76eb2dc258027fed76904766ef5c7ffdc142152c8e84c5dc6a
-
SHA512
82d1e55fadbc3be66ce292d406cebd380f71c9ec72adefdebfea010787cd3920f0be3c902ab2e4b43a1edee6c282dec4e68682b84bb8e473a6bffcb7c4f14712
-
SSDEEP
768:W3HRPxnLdhrGs1FND3ij02YvWZ0BuphAEweCgF:EJos133iIWeBKhoHW
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1576 system32.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 3108 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation cf8d0ce47fd80e76eb2dc258027fed76904766ef5c7ffdc142152c8e84c5dc6a.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a4bad84ef1f0ccb763872d870b5a0d0.exe system32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a4bad84ef1f0ccb763872d870b5a0d0.exe system32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3a4bad84ef1f0ccb763872d870b5a0d0 = "\"C:\\ProgramData\\system32.exe\" .." system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\3a4bad84ef1f0ccb763872d870b5a0d0 = "\"C:\\ProgramData\\system32.exe\" .." system32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 1576 system32.exe 1576 system32.exe 1576 system32.exe 1576 system32.exe 1576 system32.exe 1576 system32.exe 1576 system32.exe 1576 system32.exe 1576 system32.exe 1576 system32.exe 1576 system32.exe 1576 system32.exe 1576 system32.exe 1576 system32.exe 1576 system32.exe 1576 system32.exe 1576 system32.exe 1576 system32.exe 1576 system32.exe 1576 system32.exe 1576 system32.exe 1576 system32.exe 1576 system32.exe 1576 system32.exe 1576 system32.exe 1576 system32.exe 1576 system32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1576 system32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1260 wrote to memory of 1576 1260 cf8d0ce47fd80e76eb2dc258027fed76904766ef5c7ffdc142152c8e84c5dc6a.exe 79 PID 1260 wrote to memory of 1576 1260 cf8d0ce47fd80e76eb2dc258027fed76904766ef5c7ffdc142152c8e84c5dc6a.exe 79 PID 1260 wrote to memory of 1576 1260 cf8d0ce47fd80e76eb2dc258027fed76904766ef5c7ffdc142152c8e84c5dc6a.exe 79 PID 1576 wrote to memory of 3108 1576 system32.exe 80 PID 1576 wrote to memory of 3108 1576 system32.exe 80 PID 1576 wrote to memory of 3108 1576 system32.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf8d0ce47fd80e76eb2dc258027fed76904766ef5c7ffdc142152c8e84c5dc6a.exe"C:\Users\Admin\AppData\Local\Temp\cf8d0ce47fd80e76eb2dc258027fed76904766ef5c7ffdc142152c8e84c5dc6a.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\ProgramData\system32.exe"C:\ProgramData\system32.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\ProgramData\system32.exe" "system32.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:3108
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD5557fad251a7f9cfc4457138c5fcc56f0
SHA12ac6f05b6f24c0baaa18524bdee4d3f8fd087912
SHA256cf8d0ce47fd80e76eb2dc258027fed76904766ef5c7ffdc142152c8e84c5dc6a
SHA51282d1e55fadbc3be66ce292d406cebd380f71c9ec72adefdebfea010787cd3920f0be3c902ab2e4b43a1edee6c282dec4e68682b84bb8e473a6bffcb7c4f14712
-
Filesize
52KB
MD5557fad251a7f9cfc4457138c5fcc56f0
SHA12ac6f05b6f24c0baaa18524bdee4d3f8fd087912
SHA256cf8d0ce47fd80e76eb2dc258027fed76904766ef5c7ffdc142152c8e84c5dc6a
SHA51282d1e55fadbc3be66ce292d406cebd380f71c9ec72adefdebfea010787cd3920f0be3c902ab2e4b43a1edee6c282dec4e68682b84bb8e473a6bffcb7c4f14712