Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    179s
  • max time network
    190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2022, 21:32

General

  • Target

    6bde7cc72b32fe3c972eb50a8b3dfb372b54d04dd42cd8115ee7eb678d91d330.exe

  • Size

    114KB

  • MD5

    09945d835a49e69aa6b0c12913f0176e

  • SHA1

    df15b07e32658a9b54f6644cae201618e36e3fe0

  • SHA256

    6bde7cc72b32fe3c972eb50a8b3dfb372b54d04dd42cd8115ee7eb678d91d330

  • SHA512

    2b512d540beddc9385e383e04f442b78f50d769003a9c744c1feafc9443b5c8b2a44636a2c974fb16184cc51f0788134b0ebbfb6fca159ff3ace5935c95e9b8b

  • SSDEEP

    1536:Cr7QvQt3WpOck/R3Xz0z2arhTRifCFTuARVpgM+Wf3VkPVfT48Jnit4dXJlVit5y:Cz+92mhTMMJ/cPiq5bViX5kYi2YSc

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6bde7cc72b32fe3c972eb50a8b3dfb372b54d04dd42cd8115ee7eb678d91d330.exe
    "C:\Users\Admin\AppData\Local\Temp\6bde7cc72b32fe3c972eb50a8b3dfb372b54d04dd42cd8115ee7eb678d91d330.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4940
    • C:\Users\Admin\AppData\Local\Temp\uspsblwbioboxpml.exe
      "C:\Users\Admin\AppData\Local\Temp\uspsblwbioboxpml.exe" htxkwau.bat+
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5112
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c htxkwau.bat
        3⤵
        • Drops file in Drivers directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:936
        • C:\Windows\SysWOW64\chcp.com
          chcp 866
          4⤵
            PID:2736
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im "praetorian.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4704

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\htxkwau.bat

      Filesize

      11KB

      MD5

      f0e2887a64780579b26218394735ade9

      SHA1

      eef146067883cdeace57a98d7675c5e1e5335297

      SHA256

      c7df727c52d9390e4ae0f60d71803a21f2170127664828d1a074c72d81002af2

      SHA512

      115be0ac5a10a9116583a74c0cd430361de3c15e0302e0a5579958a57756e50c1ef99f8728b9d10900dcd83849c9dc742537ad19aeaa68649f131fce9d442e38

    • C:\Users\Admin\AppData\Local\Temp\uspsblwbioboxpml.exe

      Filesize

      20KB

      MD5

      e2b051be5b31684e39c4f62948f92588

      SHA1

      23cb2f7549775bed432dd5320ce27957846a2ec9

      SHA256

      900296d4126449331857e8754bad845ee29d12ecf628c2929d9c2922bba0b0d5

      SHA512

      f310b07673676ee2d9feb58bb09450e228dd06a89d35ce23072d332ba55dfa61cd24492494f604d0af822a83bf82847a0465f56974614a1b6115821bebf29710

    • C:\Users\Admin\AppData\Local\Temp\uspsblwbioboxpml.exe

      Filesize

      20KB

      MD5

      e2b051be5b31684e39c4f62948f92588

      SHA1

      23cb2f7549775bed432dd5320ce27957846a2ec9

      SHA256

      900296d4126449331857e8754bad845ee29d12ecf628c2929d9c2922bba0b0d5

      SHA512

      f310b07673676ee2d9feb58bb09450e228dd06a89d35ce23072d332ba55dfa61cd24492494f604d0af822a83bf82847a0465f56974614a1b6115821bebf29710

    • C:\Windows\system32\drivers\etc\hosts

      Filesize

      969B

      MD5

      88e836e667a4b903cd0b579c4b7d0dc3

      SHA1

      d32f0fcbdd7ce97569b396f27e3a4120a44b0c65

      SHA256

      845dba03ad05979240875c69d01554d91cadb74fe1d97d30949e4f15f7022900

      SHA512

      ecf3851789a66a81994112ac97e48836bb3e3dc5b4d7121020d53df13fa7341b6fb2fae7ee7b82e82976afb91dbeff2996471ac5816e33d2d8954d52cf2c66da