Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/12/2022, 00:46

General

  • Target

    90f64a9ddda7899516c084e2cf2668b809ebf09ed994448d3aa87ca30e99abe3.exe

  • Size

    72KB

  • MD5

    db625eb4c9e276031d226504774ed156

  • SHA1

    80574636b9f4f67ef4f725cf8591833865cd8604

  • SHA256

    90f64a9ddda7899516c084e2cf2668b809ebf09ed994448d3aa87ca30e99abe3

  • SHA512

    4036cea7725cd605a2e01aa9f9db05ab826d611bc8da49f2b6ab03022b57ad7593e490a0f24c5873c78c81111bee0e54f4e20ab3534a079b438f50acd88854bf

  • SSDEEP

    768:ywlPoVTdBzkS0FlS+i9ioQDhXwlPoVTdBzkS0FlS+i9ioQDkD:bZw4SMr5D+Zw4SMr5D

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\90f64a9ddda7899516c084e2cf2668b809ebf09ed994448d3aa87ca30e99abe3.exe
    "C:\Users\Admin\AppData\Local\Temp\90f64a9ddda7899516c084e2cf2668b809ebf09ed994448d3aa87ca30e99abe3.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2532
    • C:\Users\Admin\AppData\Local\Temp\keygen.exe
      "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
      2⤵
      • Executes dropped EXE
      PID:2032

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\keygen.exe

    Filesize

    36KB

    MD5

    25bc76a566960aae43af8839bde8ce21

    SHA1

    d130e6a399a82637254d0e0c0e3f463215a7d38a

    SHA256

    1124d5843347985bae59529296a1dc269a79ac8a6d94f5817998cab43cdc7587

    SHA512

    de7e0dfd1dec1050c7e1796537704ec1c230dcc59961332c88b543398646300ebe1681190b8458aa5555d9fc3aa2714ed4fdfd0a8268134e5c77d44d9bd2bc42

  • C:\Users\Admin\AppData\Local\Temp\keygen.exe

    Filesize

    36KB

    MD5

    25bc76a566960aae43af8839bde8ce21

    SHA1

    d130e6a399a82637254d0e0c0e3f463215a7d38a

    SHA256

    1124d5843347985bae59529296a1dc269a79ac8a6d94f5817998cab43cdc7587

    SHA512

    de7e0dfd1dec1050c7e1796537704ec1c230dcc59961332c88b543398646300ebe1681190b8458aa5555d9fc3aa2714ed4fdfd0a8268134e5c77d44d9bd2bc42