Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
396s -
max time network
452s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2022, 22:30
Static task
static1
Behavioral task
behavioral1
Sample
287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59.exe
Resource
win10v2004-20221111-en
General
-
Target
287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59.exe
-
Size
2.0MB
-
MD5
0ce92ed77c07532a818e8604c582fcec
-
SHA1
eb0932f99b64a6cca7e1cd96c989ee14810b5dae
-
SHA256
287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59
-
SHA512
dba5affc0b225c2f1068da92ab516f38cc6daf2132134471fd732b08d563c0fb8cfb9607c374d98146af3a0b9f2521aa53e7a6ae95e6e885f114f8a80cb2ab67
-
SSDEEP
49152:l/DduN3sJM79Gg+DhRg9Wu/O0xFJog2wz:lrduNes8tY9Wu/fxTo2
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3056 intell.exe 4916 intell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation 287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 616 wrote to memory of 3056 616 287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59.exe 82 PID 616 wrote to memory of 3056 616 287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59.exe 82 PID 616 wrote to memory of 3056 616 287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59.exe 82 PID 3056 wrote to memory of 4916 3056 intell.exe 85 PID 3056 wrote to memory of 4916 3056 intell.exe 85 PID 3056 wrote to memory of 4916 3056 intell.exe 85 PID 3056 wrote to memory of 4916 3056 intell.exe 85 PID 3056 wrote to memory of 4916 3056 intell.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59.exe"C:\Users\Admin\AppData\Local\Temp\287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Users\Admin\AppData\Local\Temp\intell.exe"C:\Users\Admin\AppData\Local\Temp\intell.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\intell.exe"C:\Users\Admin\AppData\Local\Temp\intell.exe"3⤵
- Executes dropped EXE
PID:4916
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5cf589d524b8ea080275efbae7448a904
SHA1417a83d229bd6d53e445b1949faca63482cc0d5b
SHA2564f8898afcd2fdef8bebadff99c992721e8da68ec3b3be6b178199845d8d9ef2a
SHA51294f0bcc3611382c15556bfc554e96d25ff8f743bfe2e24a57d4affffe1d81bfaec62c0294edd1917497d64f0e0862fd6db9b103ddfa9e5df80408bbdb91fa189
-
Filesize
1.7MB
MD5cf589d524b8ea080275efbae7448a904
SHA1417a83d229bd6d53e445b1949faca63482cc0d5b
SHA2564f8898afcd2fdef8bebadff99c992721e8da68ec3b3be6b178199845d8d9ef2a
SHA51294f0bcc3611382c15556bfc554e96d25ff8f743bfe2e24a57d4affffe1d81bfaec62c0294edd1917497d64f0e0862fd6db9b103ddfa9e5df80408bbdb91fa189
-
Filesize
1.7MB
MD5cf589d524b8ea080275efbae7448a904
SHA1417a83d229bd6d53e445b1949faca63482cc0d5b
SHA2564f8898afcd2fdef8bebadff99c992721e8da68ec3b3be6b178199845d8d9ef2a
SHA51294f0bcc3611382c15556bfc554e96d25ff8f743bfe2e24a57d4affffe1d81bfaec62c0294edd1917497d64f0e0862fd6db9b103ddfa9e5df80408bbdb91fa189