Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
161s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2022, 10:06
Static task
static1
Behavioral task
behavioral1
Sample
aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe
Resource
win10v2004-20220812-en
General
-
Target
aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe
-
Size
1.1MB
-
MD5
effbea685e7b77b9fa92604418c4f8f4
-
SHA1
27059309b55f180b4135ace1016b4f407f26be70
-
SHA256
aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b
-
SHA512
7b0e9d7c21d1960ff76df9f8f333014793e694b85bea3eccf3db6963d496a881efd782d7ec102b4b69a8efd29929a00a070d035f914c431f97b73121076b5da1
-
SSDEEP
24576:2NGQvfd4wzQP6ASSvTd7z/fl3F6e8P25XZkKcs9hzTQVF4CFU:UGQHuaQiWvZ7ThW2tZZcs99Q0
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 712 downhill.exe 4544 downhill.exe 1532 downhill.exe 4724 downhill.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe -
Loads dropped DLL 3 IoCs
pid Process 3368 aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe 3368 aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe 3368 aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 downhill.exe File opened for modification \??\PhysicalDrive0 downhill.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 3368 aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe 3368 aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe 4724 downhill.exe 4724 downhill.exe 4724 downhill.exe 4724 downhill.exe 4724 downhill.exe 4724 downhill.exe 4724 downhill.exe 4724 downhill.exe 4724 downhill.exe 4724 downhill.exe 4724 downhill.exe 4724 downhill.exe 4724 downhill.exe 4724 downhill.exe 4724 downhill.exe 4724 downhill.exe 4724 downhill.exe 4724 downhill.exe 4724 downhill.exe 4724 downhill.exe 4724 downhill.exe 4724 downhill.exe 1532 downhill.exe 1532 downhill.exe 1532 downhill.exe 1532 downhill.exe 1532 downhill.exe 1532 downhill.exe 1532 downhill.exe 1532 downhill.exe 1532 downhill.exe 1532 downhill.exe 1532 downhill.exe 1532 downhill.exe 1532 downhill.exe 1532 downhill.exe 1532 downhill.exe 1532 downhill.exe 1532 downhill.exe 1532 downhill.exe 1532 downhill.exe 1532 downhill.exe 1532 downhill.exe 1532 downhill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4544 downhill.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 712 downhill.exe 712 downhill.exe 1532 downhill.exe 1532 downhill.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3368 wrote to memory of 712 3368 aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe 77 PID 3368 wrote to memory of 712 3368 aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe 77 PID 3368 wrote to memory of 712 3368 aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe 77 PID 3368 wrote to memory of 4544 3368 aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe 78 PID 3368 wrote to memory of 4544 3368 aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe 78 PID 3368 wrote to memory of 4544 3368 aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe 78 PID 3368 wrote to memory of 1532 3368 aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe 79 PID 3368 wrote to memory of 1532 3368 aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe 79 PID 3368 wrote to memory of 1532 3368 aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe 79 PID 3368 wrote to memory of 4724 3368 aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe 80 PID 3368 wrote to memory of 4724 3368 aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe 80 PID 3368 wrote to memory of 4724 3368 aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe"C:\Users\Admin\AppData\Local\Temp\aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Users\Admin\AppData\Roaming\downhill\downhill.exe"C:\Users\Admin\AppData\Roaming\downhill\downhill.exe" SW_SHOWNORMAL2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:712
-
-
C:\Users\Admin\AppData\Roaming\downhill\downhill.exe"C:\Users\Admin\AppData\Roaming\downhill\downhill.exe" /ShowDeskTop2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:4544
-
-
C:\Users\Admin\AppData\Roaming\downhill\downhill.exe"C:\Users\Admin\AppData\Roaming\downhill\downhill.exe" /autorun /setuprun2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1532
-
-
C:\Users\Admin\AppData\Roaming\downhill\downhill.exe"C:\Users\Admin\AppData\Roaming\downhill\downhill.exe" /setupsucc2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
PID:4724
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58614c450637267afacad1645e23ba24a
SHA1e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA2560fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b
-
Filesize
3KB
MD58614c450637267afacad1645e23ba24a
SHA1e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA2560fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
416B
MD5b5327437c7760ed5465764a66dad7c5d
SHA1143b40cfb78b74c7f03c661cc1b172c98b903621
SHA256d311c3cf024b4c77f2c2f31a9feeccc760cda6ce5bf480533dfd632c82b2983b
SHA51265db2ce8d3bfffc653ce53a38a7ebd5a47068442fcbd4d5e472b46ddef4b413c5c5d9ccd1cabe9c1d340645d3d625c2ca6339b3994a99dab0bb1154d72149bd0
-
Filesize
416B
MD5b5327437c7760ed5465764a66dad7c5d
SHA1143b40cfb78b74c7f03c661cc1b172c98b903621
SHA256d311c3cf024b4c77f2c2f31a9feeccc760cda6ce5bf480533dfd632c82b2983b
SHA51265db2ce8d3bfffc653ce53a38a7ebd5a47068442fcbd4d5e472b46ddef4b413c5c5d9ccd1cabe9c1d340645d3d625c2ca6339b3994a99dab0bb1154d72149bd0
-
Filesize
448B
MD50354208aa510521c29f68976064cf4ed
SHA157532514e83a3018025942f3639ff214c307672d
SHA256254b91ed6a7766f21840e90a6f1c030ae7edcc3d341f67c54b05c768a9fde112
SHA512b5c554868b0e3242aaa8cc6ec94a6e3a541c38341276022fb747d85e25a47a343d0f0d65b28b87472c33e8391931d123fae7a1989046470b4bcb2663aa351549
-
Filesize
672B
MD55b40ebdd9a60fedd258d75dcbf7b5246
SHA1e4a485919c7e720c01cf5d6f42c3115c97908a35
SHA25652a03267442cd3506307e6ecf68447b31dc5ebc92538f6b337d46bb2626754a9
SHA51207d222af982ceb309925c547238754fca56d24922be5ff36f7ba06d2d84164fc7f0c10445fb3aac8cbdee0f76a9514c144016b060a69b8d5db5a26317b48de0d
-
Filesize
672B
MD55b40ebdd9a60fedd258d75dcbf7b5246
SHA1e4a485919c7e720c01cf5d6f42c3115c97908a35
SHA25652a03267442cd3506307e6ecf68447b31dc5ebc92538f6b337d46bb2626754a9
SHA51207d222af982ceb309925c547238754fca56d24922be5ff36f7ba06d2d84164fc7f0c10445fb3aac8cbdee0f76a9514c144016b060a69b8d5db5a26317b48de0d
-
Filesize
1.3MB
MD5ce25a1dd39160a76c2897033a6994b16
SHA1d8fc1e6b7ede9c4aa9322607a2f9d10c423945de
SHA25653822e59b4ae7c2df39d938e0a4b96f4cde12c1bdd639866e9737c996c0dc4c8
SHA512a93653b7715b8ed010dcce07da0edd905203c5cf03182341de5e926f16d3f8cad3e70eda55ed8856a3f72e2570df83d82986ed2a328bd2f40b276a6d76458f65
-
Filesize
1.3MB
MD5ce25a1dd39160a76c2897033a6994b16
SHA1d8fc1e6b7ede9c4aa9322607a2f9d10c423945de
SHA25653822e59b4ae7c2df39d938e0a4b96f4cde12c1bdd639866e9737c996c0dc4c8
SHA512a93653b7715b8ed010dcce07da0edd905203c5cf03182341de5e926f16d3f8cad3e70eda55ed8856a3f72e2570df83d82986ed2a328bd2f40b276a6d76458f65
-
Filesize
1.3MB
MD5ce25a1dd39160a76c2897033a6994b16
SHA1d8fc1e6b7ede9c4aa9322607a2f9d10c423945de
SHA25653822e59b4ae7c2df39d938e0a4b96f4cde12c1bdd639866e9737c996c0dc4c8
SHA512a93653b7715b8ed010dcce07da0edd905203c5cf03182341de5e926f16d3f8cad3e70eda55ed8856a3f72e2570df83d82986ed2a328bd2f40b276a6d76458f65
-
Filesize
1.3MB
MD5ce25a1dd39160a76c2897033a6994b16
SHA1d8fc1e6b7ede9c4aa9322607a2f9d10c423945de
SHA25653822e59b4ae7c2df39d938e0a4b96f4cde12c1bdd639866e9737c996c0dc4c8
SHA512a93653b7715b8ed010dcce07da0edd905203c5cf03182341de5e926f16d3f8cad3e70eda55ed8856a3f72e2570df83d82986ed2a328bd2f40b276a6d76458f65
-
Filesize
1.3MB
MD5ce25a1dd39160a76c2897033a6994b16
SHA1d8fc1e6b7ede9c4aa9322607a2f9d10c423945de
SHA25653822e59b4ae7c2df39d938e0a4b96f4cde12c1bdd639866e9737c996c0dc4c8
SHA512a93653b7715b8ed010dcce07da0edd905203c5cf03182341de5e926f16d3f8cad3e70eda55ed8856a3f72e2570df83d82986ed2a328bd2f40b276a6d76458f65