Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
04/12/2022, 00:46
Static task
static1
Behavioral task
behavioral1
Sample
90f64a9ddda7899516c084e2cf2668b809ebf09ed994448d3aa87ca30e99abe3.exe
Resource
win7-20221111-en
General
-
Target
90f64a9ddda7899516c084e2cf2668b809ebf09ed994448d3aa87ca30e99abe3.exe
-
Size
72KB
-
MD5
db625eb4c9e276031d226504774ed156
-
SHA1
80574636b9f4f67ef4f725cf8591833865cd8604
-
SHA256
90f64a9ddda7899516c084e2cf2668b809ebf09ed994448d3aa87ca30e99abe3
-
SHA512
4036cea7725cd605a2e01aa9f9db05ab826d611bc8da49f2b6ab03022b57ad7593e490a0f24c5873c78c81111bee0e54f4e20ab3534a079b438f50acd88854bf
-
SSDEEP
768:ywlPoVTdBzkS0FlS+i9ioQDhXwlPoVTdBzkS0FlS+i9ioQDkD:bZw4SMr5D+Zw4SMr5D
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2032 keygen.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 90f64a9ddda7899516c084e2cf2668b809ebf09ed994448d3aa87ca30e99abe3.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2532 wrote to memory of 2032 2532 90f64a9ddda7899516c084e2cf2668b809ebf09ed994448d3aa87ca30e99abe3.exe 82 PID 2532 wrote to memory of 2032 2532 90f64a9ddda7899516c084e2cf2668b809ebf09ed994448d3aa87ca30e99abe3.exe 82 PID 2532 wrote to memory of 2032 2532 90f64a9ddda7899516c084e2cf2668b809ebf09ed994448d3aa87ca30e99abe3.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\90f64a9ddda7899516c084e2cf2668b809ebf09ed994448d3aa87ca30e99abe3.exe"C:\Users\Admin\AppData\Local\Temp\90f64a9ddda7899516c084e2cf2668b809ebf09ed994448d3aa87ca30e99abe3.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\keygen.exe"C:\Users\Admin\AppData\Local\Temp\keygen.exe"2⤵
- Executes dropped EXE
PID:2032
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD525bc76a566960aae43af8839bde8ce21
SHA1d130e6a399a82637254d0e0c0e3f463215a7d38a
SHA2561124d5843347985bae59529296a1dc269a79ac8a6d94f5817998cab43cdc7587
SHA512de7e0dfd1dec1050c7e1796537704ec1c230dcc59961332c88b543398646300ebe1681190b8458aa5555d9fc3aa2714ed4fdfd0a8268134e5c77d44d9bd2bc42
-
Filesize
36KB
MD525bc76a566960aae43af8839bde8ce21
SHA1d130e6a399a82637254d0e0c0e3f463215a7d38a
SHA2561124d5843347985bae59529296a1dc269a79ac8a6d94f5817998cab43cdc7587
SHA512de7e0dfd1dec1050c7e1796537704ec1c230dcc59961332c88b543398646300ebe1681190b8458aa5555d9fc3aa2714ed4fdfd0a8268134e5c77d44d9bd2bc42