Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
189s -
max time network
200s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
03/12/2022, 17:53
Behavioral task
behavioral1
Sample
b59b724091cead1305095f15b85073b6208cbb46ccf5a67a253862fb9e905277.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b59b724091cead1305095f15b85073b6208cbb46ccf5a67a253862fb9e905277.exe
Resource
win10v2004-20221111-en
General
-
Target
b59b724091cead1305095f15b85073b6208cbb46ccf5a67a253862fb9e905277.exe
-
Size
546KB
-
MD5
9c6e9bae04e514b47eefbddbb5e67d2b
-
SHA1
6e9b1f7ee1b723035409ecd1d16c932b4141e1cb
-
SHA256
b59b724091cead1305095f15b85073b6208cbb46ccf5a67a253862fb9e905277
-
SHA512
0bb63b5cd7f019fccfe4a8e77cb15ae9a69de84ad7d9e89e7235a15e19bd540eefa68002bfa7a15c70fe94b77f0c3bc1340781ca5da1dde7fd5305ecbc4bdee0
-
SSDEEP
3072:CNnqDxIGX/9nDiG7t6yCAti1zxGJidD5iYAHg4Cs7lJgxwL0out:CNnxKL0oS
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4028 winlogon.exe 4212 winlogon.exe -
resource yara_rule behavioral2/files/0x0006000000022e52-135.dat upx behavioral2/files/0x0006000000022e52-136.dat upx behavioral2/memory/3756-137-0x0000000000400000-0x0000000000448000-memory.dmp upx behavioral2/memory/4028-140-0x0000000000400000-0x0000000000448000-memory.dmp upx behavioral2/memory/4028-141-0x0000000000400000-0x0000000000448000-memory.dmp upx behavioral2/memory/4212-143-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/files/0x0006000000022e52-144.dat upx behavioral2/memory/4212-146-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/4212-147-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral2/memory/4212-150-0x0000000000400000-0x000000000043F000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation b59b724091cead1305095f15b85073b6208cbb46ccf5a67a253862fb9e905277.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4028 set thread context of 4212 4028 winlogon.exe 97 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3756 b59b724091cead1305095f15b85073b6208cbb46ccf5a67a253862fb9e905277.exe 4028 winlogon.exe 4212 winlogon.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3756 wrote to memory of 4028 3756 b59b724091cead1305095f15b85073b6208cbb46ccf5a67a253862fb9e905277.exe 87 PID 3756 wrote to memory of 4028 3756 b59b724091cead1305095f15b85073b6208cbb46ccf5a67a253862fb9e905277.exe 87 PID 3756 wrote to memory of 4028 3756 b59b724091cead1305095f15b85073b6208cbb46ccf5a67a253862fb9e905277.exe 87 PID 4028 wrote to memory of 4212 4028 winlogon.exe 97 PID 4028 wrote to memory of 4212 4028 winlogon.exe 97 PID 4028 wrote to memory of 4212 4028 winlogon.exe 97 PID 4028 wrote to memory of 4212 4028 winlogon.exe 97 PID 4028 wrote to memory of 4212 4028 winlogon.exe 97 PID 4028 wrote to memory of 4212 4028 winlogon.exe 97 PID 4028 wrote to memory of 4212 4028 winlogon.exe 97 PID 4028 wrote to memory of 4212 4028 winlogon.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\b59b724091cead1305095f15b85073b6208cbb46ccf5a67a253862fb9e905277.exe"C:\Users\Admin\AppData\Local\Temp\b59b724091cead1305095f15b85073b6208cbb46ccf5a67a253862fb9e905277.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Users\Admin\E696D64614\winlogon.exeError 4483⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4212
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize2KB
MD597acf0930ce9f2f69d40ed8e1178cec6
SHA16380a2d97e4b4ccc3b4598cc2d431702e54ed69c
SHA256b38f02de41dbb7db433a5f440dff85432150ff71d53b7ef8792d96da80962343
SHA512f49c8a4fa51127e7d8b71cd0257bbedc8855ea708ec0e313e5071b656aedb815b55e51619df24ed967c4df0e685a4940cc1f123aa4ee0198a3d1ada1b42480e1
-
Filesize
472B
MD50be73f837e6aeb740e5c608fb17237b5
SHA14dfd1104c0558f35d83b35ca08e4874052be4bc7
SHA2569f57778d4b2af1df4ee9000e3be98a38927c78d4d61b8a70f7a6499c2842fa89
SHA5121bd4cfb2889952a56d3b6c58f181343d491d18d10b645289746176d392426467a9e68f52a48315bb809cd917ac598489b0e2cad995fd689a1b8673376316313e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize488B
MD5130a8b6b866c371560107bb88b81fe43
SHA168c3bd5364e57738f04636f511549fdcfca02d14
SHA256b3d22680069f518a90ecf87f76cbb93864bfd843f7e788b4c6ee6e743ad973d2
SHA5129726e5dd79f553fbc98afcae7d6cfec963bc464a678493af370f8cb0a51507a17d06908aada671dceae1028ee3c0e9550feb28c83d0847ac40a222af4ff74138
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2119239CBE0D3DBEF6F19E0B10265873
Filesize476B
MD5793252ffde02a85dfa0e3daf689fbd38
SHA18b1d0b26ba423b8d1fe6b904d6db4243fee53833
SHA256308322f24b71fb00a4b7130036489e201d8301bf86d9636a65568ee95cbc088e
SHA5123015ec61266c53733b840d331de2ba7088a21be8bdad42b3caf28a842b3c181877b0c005c26e70152c865e0496e90a07df423115c3091e3c74e3205a96592312
-
Filesize
546KB
MD59c6e9bae04e514b47eefbddbb5e67d2b
SHA16e9b1f7ee1b723035409ecd1d16c932b4141e1cb
SHA256b59b724091cead1305095f15b85073b6208cbb46ccf5a67a253862fb9e905277
SHA5120bb63b5cd7f019fccfe4a8e77cb15ae9a69de84ad7d9e89e7235a15e19bd540eefa68002bfa7a15c70fe94b77f0c3bc1340781ca5da1dde7fd5305ecbc4bdee0
-
Filesize
546KB
MD59c6e9bae04e514b47eefbddbb5e67d2b
SHA16e9b1f7ee1b723035409ecd1d16c932b4141e1cb
SHA256b59b724091cead1305095f15b85073b6208cbb46ccf5a67a253862fb9e905277
SHA5120bb63b5cd7f019fccfe4a8e77cb15ae9a69de84ad7d9e89e7235a15e19bd540eefa68002bfa7a15c70fe94b77f0c3bc1340781ca5da1dde7fd5305ecbc4bdee0
-
Filesize
546KB
MD59c6e9bae04e514b47eefbddbb5e67d2b
SHA16e9b1f7ee1b723035409ecd1d16c932b4141e1cb
SHA256b59b724091cead1305095f15b85073b6208cbb46ccf5a67a253862fb9e905277
SHA5120bb63b5cd7f019fccfe4a8e77cb15ae9a69de84ad7d9e89e7235a15e19bd540eefa68002bfa7a15c70fe94b77f0c3bc1340781ca5da1dde7fd5305ecbc4bdee0