Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

cf0f6a60ac...7a.exe

windows7-x64

8

cf0f6a60ac...7a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    92s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2022, 07:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf0f6a60ac2c37799b02f26581cc92b2c346bfcdd757d2b459b969ea0e76867a.exe

  • Size

    42KB

  • MD5

    c6b81c7fb7d688711923a3774432f42d

  • SHA1

    a4df01899ea43820b1661c57175019dfd6e602a3

  • SHA256

    cf0f6a60ac2c37799b02f26581cc92b2c346bfcdd757d2b459b969ea0e76867a

  • SHA512

    9f6f830745ff0d1125d94ac54ed8e0851660ff37142798706c13af6aec854e2e5590d2e5749f01ea629867a506b896bb63ce8fc9fc4cab12a6154b6bf07961a1

  • SSDEEP

    768:uBUaZmvRRaO52tjS+YC5tZvx0HRVzJ1gFqDhgpVmcLek/c3Lqyu9usvSKvQkv:uBc6GC5bpMMuCuCek/c3LqbEWvQkv

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf0f6a60ac2c37799b02f26581cc92b2c346bfcdd757d2b459b969ea0e76867a.exe
    "C:\Users\Admin\AppData\Local\Temp\cf0f6a60ac2c37799b02f26581cc92b2c346bfcdd757d2b459b969ea0e76867a.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4804
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" C:\Windows\system32\SafeSearch.dll /u /s
      2⤵
        PID:1656
      • C:\windows\SysWOW64\hdnzcucu.exe
        "C:\windows\system32\hdnzcucu.exe" -kill c:\users\admin\appdata\local\temp\cf0f6a60ac2c37799b02f26581cc92b2c346bfcdd757d2b459b969ea0e76867a.exe /install
        2⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1208
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" C:\Windows\system32\SafeSearch.dll /u /s
          3⤵
            PID:1196
          • C:\windows\SysWOW64\hdnzcucu.exe
            "C:\windows\system32\hdnzcucu.exe" -kill c:\windows\syswow64\hdnzcucu.exe /install /install
            3⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:3304
            • C:\Windows\SysWOW64\regsvr32.exe
              "C:\Windows\system32\regsvr32.exe" C:\Windows\system32\SafeSearch.dll /u /s
              4⤵
                PID:2544

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\hdnzcucu.exe
          Filesize

          42KB

          MD5

          c6b81c7fb7d688711923a3774432f42d

          SHA1

          a4df01899ea43820b1661c57175019dfd6e602a3

          SHA256

          cf0f6a60ac2c37799b02f26581cc92b2c346bfcdd757d2b459b969ea0e76867a

          SHA512

          9f6f830745ff0d1125d94ac54ed8e0851660ff37142798706c13af6aec854e2e5590d2e5749f01ea629867a506b896bb63ce8fc9fc4cab12a6154b6bf07961a1

          Download Submit

        • C:\Windows\SysWOW64\hdnzcucu.exe
          Filesize

          42KB

          MD5

          c6b81c7fb7d688711923a3774432f42d

          SHA1

          a4df01899ea43820b1661c57175019dfd6e602a3

          SHA256

          cf0f6a60ac2c37799b02f26581cc92b2c346bfcdd757d2b459b969ea0e76867a

          SHA512

          9f6f830745ff0d1125d94ac54ed8e0851660ff37142798706c13af6aec854e2e5590d2e5749f01ea629867a506b896bb63ce8fc9fc4cab12a6154b6bf07961a1

          Download Submit

        • C:\windows\SysWOW64\hdnzcucu.exe
          Filesize

          42KB

          MD5

          c6b81c7fb7d688711923a3774432f42d

          SHA1

          a4df01899ea43820b1661c57175019dfd6e602a3

          SHA256

          cf0f6a60ac2c37799b02f26581cc92b2c346bfcdd757d2b459b969ea0e76867a

          SHA512

          9f6f830745ff0d1125d94ac54ed8e0851660ff37142798706c13af6aec854e2e5590d2e5749f01ea629867a506b896bb63ce8fc9fc4cab12a6154b6bf07961a1

          Download Submit

        • memory/1208-141-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/3304-143-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/4804-132-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/4804-137-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

          Download