Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

8

afb78b3c90...4c.exe

windows7-x64

9

afb78b3c90...4c.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    187s
  • max time network
    186s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2022, 11:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    afb78b3c90ed080760346fefe00ecca6e6f8bdfd49c23f4cba863a3b9c0f6e4c.exe

  • Size

    21KB

  • MD5

    094e336d0e66d2664504a1940426e685

  • SHA1

    aab0aa8f2811af218c92d7bf4f80f844898d606d

  • SHA256

    afb78b3c90ed080760346fefe00ecca6e6f8bdfd49c23f4cba863a3b9c0f6e4c

  • SHA512

    ded214a5d4933a596457dd103f328e72843cb46afe6ad843165475c38a18ef865f0f39979f2da7552ea2590dbdadab6e1d319ea24cc0ce2e0e28be2fe0b5d98c

  • SSDEEP

    384:0luHHPs2ilHJxk7AsRZXLcvWm0Mt4tcguoQFndsCDwfw+XLU:yun3ilpSbXLc1tJguHFdLwXI

Score
9/10
upx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\afb78b3c90ed080760346fefe00ecca6e6f8bdfd49c23f4cba863a3b9c0f6e4c.exe
    "C:\Users\Admin\AppData\Local\Temp\afb78b3c90ed080760346fefe00ecca6e6f8bdfd49c23f4cba863a3b9c0f6e4c.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4456
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\AFB78B~1.EXE >> NUL
      2⤵
        PID:2092

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\ufQCU5.dll
      Filesize

      15KB

      MD5

      b80468aae36c20a6d43e343441f48ec9

      SHA1

      ab43507cb8e1d07af8dc6eec59aff93cee204a47

      SHA256

      84cf3f8d50b896f20bcc1e9d110cfa50012173782e0fa02db5f31a524e04735c

      SHA512

      b943b6205ae09966c592b6c2fb73977df95c2f8730b2efdc959e2e300101ae38e80e5fb048275333a6a32842a02b521e28b5700f4ecc42c91d93a35398d897a0

      Download Submit

    • memory/4456-132-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/4456-134-0x0000000010000000-0x000000001000F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/4456-135-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/4456-137-0x0000000010000000-0x000000001000F000-memory.dmp

      Filesize

      60KB

      Download