Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
172s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03/12/2022, 12:35
Static task
static1
Behavioral task
behavioral1
Sample
d10397b0e5b624839af29daa50d9b5764a221b1e7408779cf14f1b4d96bfb93d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d10397b0e5b624839af29daa50d9b5764a221b1e7408779cf14f1b4d96bfb93d.exe
Resource
win10v2004-20220812-en
General
-
Target
d10397b0e5b624839af29daa50d9b5764a221b1e7408779cf14f1b4d96bfb93d.exe
-
Size
380KB
-
MD5
92755b55559f0e8bdb99349174492f5c
-
SHA1
bf9f6475fde5952e4ed0e2fbbef752912abb0b94
-
SHA256
d10397b0e5b624839af29daa50d9b5764a221b1e7408779cf14f1b4d96bfb93d
-
SHA512
80395cfba34752a6cecafc9387ad486368d507af95b41c76977fa52b5f0fe1b6e7e56c101234f319f541f9884ea9b093dbdb2d5545947eddfa1af7fbef6dd2e0
-
SSDEEP
6144:Qoy8kq/mn2Ty3WgROsgykVl/j7sBfZpJ+ssVQxTzXHEXU0/X9zbKlkc9JnzCvz7N:lLUY4kVl7Y/mVQ1raU4XlbKlJzc7rcK3
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4436 27.sfx.exe 4920 27.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation d10397b0e5b624839af29daa50d9b5764a221b1e7408779cf14f1b4d96bfb93d.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 27.sfx.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\found.exe 27.exe File created C:\Windows\SysWOW64\found.exe 27.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Debug\found32.dll 27.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18EDD7A0-87EF-45B7-85CF-6A7E1341E2BB}\InProcServer32\ = "C:\\Windows\\Debug\\found32.dll" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18EDD7A0-87EF-45B7-85CF-6A7E1341E2BB}\InProcServer32\ThreadingModel = "Apartment" regedit.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 27.sfx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18EDD7A0-87EF-45B7-85CF-6A7E1341E2BB} regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18EDD7A0-87EF-45B7-85CF-6A7E1341E2BB}\ = "url" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18EDD7A0-87EF-45B7-85CF-6A7E1341E2BB}\InProcServer32 regedit.exe -
Runs .reg file with regedit 1 IoCs
pid Process 3484 regedit.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4284 wrote to memory of 4436 4284 d10397b0e5b624839af29daa50d9b5764a221b1e7408779cf14f1b4d96bfb93d.exe 80 PID 4284 wrote to memory of 4436 4284 d10397b0e5b624839af29daa50d9b5764a221b1e7408779cf14f1b4d96bfb93d.exe 80 PID 4284 wrote to memory of 4436 4284 d10397b0e5b624839af29daa50d9b5764a221b1e7408779cf14f1b4d96bfb93d.exe 80 PID 4436 wrote to memory of 4920 4436 27.sfx.exe 81 PID 4436 wrote to memory of 4920 4436 27.sfx.exe 81 PID 4436 wrote to memory of 4920 4436 27.sfx.exe 81 PID 4920 wrote to memory of 4872 4920 27.exe 82 PID 4920 wrote to memory of 4872 4920 27.exe 82 PID 4920 wrote to memory of 4872 4920 27.exe 82 PID 4920 wrote to memory of 4888 4920 27.exe 85 PID 4920 wrote to memory of 4888 4920 27.exe 85 PID 4920 wrote to memory of 4888 4920 27.exe 85 PID 4872 wrote to memory of 3484 4872 cmd.exe 86 PID 4872 wrote to memory of 3484 4872 cmd.exe 86 PID 4872 wrote to memory of 3484 4872 cmd.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\d10397b0e5b624839af29daa50d9b5764a221b1e7408779cf14f1b4d96bfb93d.exe"C:\Users\Admin\AppData\Local\Temp\d10397b0e5b624839af29daa50d9b5764a221b1e7408779cf14f1b4d96bfb93d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\27.sfx.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\27.sfx.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\27.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\27.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fnous.bat4⤵
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Users\Admin\AppData\Local\Temp\nothks.reg5⤵
- Modifies registry class
- Runs .reg file with regedit
PID:3484
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c erase /F "C:\Users\Admin\AppData\Local\Temp\RarSFX0\27.exe"4⤵PID:4888
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4744
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
194KB
MD585529ed8be19e0cfc8408a541f02e19f
SHA1ca0e15300463621bec1fc91728000f1a73a3e461
SHA256aa4a476faff39936588e29ef13f36460f00232e9e2346064ea13cc415a9311c5
SHA512a5c501c4b7d0ad3872308e4e9bcefd4d3e9d13e07303ffaacc841057517c8238f348beadd9538f81a663e9c8c543fd5ad2365302780ef08eba0c1cd3f303b286
-
Filesize
194KB
MD585529ed8be19e0cfc8408a541f02e19f
SHA1ca0e15300463621bec1fc91728000f1a73a3e461
SHA256aa4a476faff39936588e29ef13f36460f00232e9e2346064ea13cc415a9311c5
SHA512a5c501c4b7d0ad3872308e4e9bcefd4d3e9d13e07303ffaacc841057517c8238f348beadd9538f81a663e9c8c543fd5ad2365302780ef08eba0c1cd3f303b286
-
Filesize
265KB
MD5b6bfaab8c3930f7f662eae3409f50e1e
SHA11a095262ed56ce4fcda7471536302a1056f84e65
SHA256552399c08861d1590324c67daf57de58a6bd9dcb027a80baa8313c57124cd518
SHA512ee04c5b601898b398a34beebe82c6b40203900c797836d93aeb10c8b645ec19f312f35dd817e3c10d79ff67ed6ce1d9832cb70e635d66f6c22e450fc122727e8
-
Filesize
265KB
MD5b6bfaab8c3930f7f662eae3409f50e1e
SHA11a095262ed56ce4fcda7471536302a1056f84e65
SHA256552399c08861d1590324c67daf57de58a6bd9dcb027a80baa8313c57124cd518
SHA512ee04c5b601898b398a34beebe82c6b40203900c797836d93aeb10c8b645ec19f312f35dd817e3c10d79ff67ed6ce1d9832cb70e635d66f6c22e450fc122727e8
-
Filesize
126B
MD57ab275c1bc8750fe49119429e12ab856
SHA1ea556c59c5d3f2be584d2e208ba42a1540f46986
SHA2568d96bacc0e4651d7b8c27613f3f721bb89ca9fb9430bab66b2ef90bfe8cb5bb3
SHA5127fe4bce942523a6adde6d83fc2f63302283f3e0642db4f9f650d50ba8f6f2b7b587229736521615d54b596f24a23146ab7aecb512c145b8dc4b81050ac3576c1
-
Filesize
403B
MD5e1db5e72383ca2535cc04d98efb0f6e6
SHA1b3407d394658ad2d4ef59179fd2ddd419a1dc1d7
SHA25652a9ba0c766a4da941eb674797f1770712e64e2d2104271b4ff6368a45ba5c31
SHA5126ac5c144d0103b722a7203b04f79b3c691ff1393b59555a7ccd454a10a64e2c60111e9e45dc1fdaa3fdf180fac2b0416250aa0180a946c772bd3f1225c15c095