Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

c763320a86...36.exe

windows7-x64

8

c763320a86...36.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    160s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2022, 06:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c763320a868176829242f24e89449db7df8972af2250c9ad895319d06abcd336.exe

  • Size

    1.1MB

  • MD5

    71cf3251dd8f91988bd95c0e85b8b6ca

  • SHA1

    27e52817722ea18a53a9b4dcf8a466d05666b10a

  • SHA256

    c763320a868176829242f24e89449db7df8972af2250c9ad895319d06abcd336

  • SHA512

    dc4d226405a6d5679b29a927fc8c30934a2904236f3b74c1594b0cd60aebab63e1459eae7ba9b9c96cb78f2bc1c207367d352ece374e3e7057df07e688f7399b

  • SSDEEP

    24576:fISkZRaSijyUuPNr7yKNzw9DdkVwF0g+yU8BUZP7jl:fISkLaSiboN3NEnIwzy7jl

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c763320a868176829242f24e89449db7df8972af2250c9ad895319d06abcd336.exe
    "C:\Users\Admin\AppData\Local\Temp\c763320a868176829242f24e89449db7df8972af2250c9ad895319d06abcd336.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4084
    • C:\Windows\svchost.exe
      "C:\Windows\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1712
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 1692
        3⤵
        • Program crash
        PID:3520
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1712 -ip 1712
    1⤵
      PID:644

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\TV.dll
      Filesize

      96KB

      MD5

      16ea8b59f4ba4f5a61fe1b8cd6050c94

      SHA1

      d1b6f248a30595b05110c5b693d2c9a6a494c9cf

      SHA256

      531c7fe97c6825b0aa2298fda4d4da836cc4e6028a423b05c55bb6b3669aae5c

      SHA512

      5fb879e60a91743e6f58ee565dfe909a576bd4ea9061ee816746283086ea5df6f2a6bfb5178a99555b73fc86b50c6104bce79c5beec97eef1e7e23cd96c7ccd6

      Download Submit

    • C:\Windows\svchost.exe
      Filesize

      4.4MB

      MD5

      487fc0841b35860747925942bfb5f1cd

      SHA1

      4e6777bcb17c7c8a7780e75868c8978c7c31e680

      SHA256

      72e4cefeac545a6da8d753124a83a92c3e743ea0a2cbcb0596ff085bc3e69ab2

      SHA512

      44d837cf628ab02a87472d33e1e14c93e1f263ba03c91e26b3e06e5e9231cb80557784cdc8dd6aff777f1932952dda72e8968ab331ea0784e133b48f30dca9cd

      Download Submit

    • C:\Windows\svchost.exe
      Filesize

      4.4MB

      MD5

      487fc0841b35860747925942bfb5f1cd

      SHA1

      4e6777bcb17c7c8a7780e75868c8978c7c31e680

      SHA256

      72e4cefeac545a6da8d753124a83a92c3e743ea0a2cbcb0596ff085bc3e69ab2

      SHA512

      44d837cf628ab02a87472d33e1e14c93e1f263ba03c91e26b3e06e5e9231cb80557784cdc8dd6aff777f1932952dda72e8968ab331ea0784e133b48f30dca9cd

      Download Submit

    • C:\Windows\ts.dll
      Filesize

      3KB

      MD5

      f9edc8d7adf09dba0b731f5c209b45be

      SHA1

      701cee7abd413510b1172fa1f914fc60fc8914f8

      SHA256

      0d40f792e0c7cc03e586bbdfb69f6a0d82a1253e39975b1f87c5cf6db676e277

      SHA512

      9861f58ca585a5c0be4e1110a63d880d75900e2da3698b0cc3066b2bd486ca128cc30003556f4356b5aec137fd89055b9b724789c9e4ea35bde392aa4e60b3ba

      Download Submit

    • C:\Windows\ts.dll
      Filesize

      3KB

      MD5

      f9edc8d7adf09dba0b731f5c209b45be

      SHA1

      701cee7abd413510b1172fa1f914fc60fc8914f8

      SHA256

      0d40f792e0c7cc03e586bbdfb69f6a0d82a1253e39975b1f87c5cf6db676e277

      SHA512

      9861f58ca585a5c0be4e1110a63d880d75900e2da3698b0cc3066b2bd486ca128cc30003556f4356b5aec137fd89055b9b724789c9e4ea35bde392aa4e60b3ba

      Download Submit

    • C:\Windows\ts.dll
      Filesize

      3KB

      MD5

      f9edc8d7adf09dba0b731f5c209b45be

      SHA1

      701cee7abd413510b1172fa1f914fc60fc8914f8

      SHA256

      0d40f792e0c7cc03e586bbdfb69f6a0d82a1253e39975b1f87c5cf6db676e277

      SHA512

      9861f58ca585a5c0be4e1110a63d880d75900e2da3698b0cc3066b2bd486ca128cc30003556f4356b5aec137fd89055b9b724789c9e4ea35bde392aa4e60b3ba

      Download Submit

    • C:\Windows\tv.dll
      Filesize

      96KB

      MD5

      16ea8b59f4ba4f5a61fe1b8cd6050c94

      SHA1

      d1b6f248a30595b05110c5b693d2c9a6a494c9cf

      SHA256

      531c7fe97c6825b0aa2298fda4d4da836cc4e6028a423b05c55bb6b3669aae5c

      SHA512

      5fb879e60a91743e6f58ee565dfe909a576bd4ea9061ee816746283086ea5df6f2a6bfb5178a99555b73fc86b50c6104bce79c5beec97eef1e7e23cd96c7ccd6

      Download Submit

    • memory/1712-138-0x0000000000400000-0x0000000000788000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/1712-139-0x00000000007D0000-0x00000000007D3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1712-142-0x0000000000400000-0x0000000000788000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/1712-143-0x00000000007D0000-0x00000000007D3000-memory.dmp

      Filesize

      12KB

      Download