Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
159s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2022, 14:03
Static task
static1
Behavioral task
behavioral1
Sample
649816a62a2ff50cb68d0a9e5a228b3c2b5a02019e02d6239bc240467ed8c03b.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
649816a62a2ff50cb68d0a9e5a228b3c2b5a02019e02d6239bc240467ed8c03b.exe
Resource
win10v2004-20220812-en
General
-
Target
649816a62a2ff50cb68d0a9e5a228b3c2b5a02019e02d6239bc240467ed8c03b.exe
-
Size
179KB
-
MD5
8155b71a2e4562b5e682d22f0010bd24
-
SHA1
6a9bc4ae28b678ec766ccc6e1e80bd8e0216f3f5
-
SHA256
649816a62a2ff50cb68d0a9e5a228b3c2b5a02019e02d6239bc240467ed8c03b
-
SHA512
8966917fa4607935d370704ecab41461615239258419891ae70de086956f86fda693f9070e09da25cff110e51e75806ff92c943c914839f885fe168c4929a65a
-
SSDEEP
3072:X875giexVu7fhrnv6MJQPRu2uuQ6ET31Ap0A+GpMWLHJiFp3:slPex8VuMepBLRLpiz
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 649816a62a2ff50cb68d0a9e5a228b3c2b5a02019e02d6239bc240467ed8c03b.exe -
Loads dropped DLL 1 IoCs
pid Process 3040 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3108 wrote to memory of 3232 3108 649816a62a2ff50cb68d0a9e5a228b3c2b5a02019e02d6239bc240467ed8c03b.exe 80 PID 3108 wrote to memory of 3232 3108 649816a62a2ff50cb68d0a9e5a228b3c2b5a02019e02d6239bc240467ed8c03b.exe 80 PID 3108 wrote to memory of 3232 3108 649816a62a2ff50cb68d0a9e5a228b3c2b5a02019e02d6239bc240467ed8c03b.exe 80 PID 3232 wrote to memory of 3040 3232 cmd.exe 82 PID 3232 wrote to memory of 3040 3232 cmd.exe 82 PID 3232 wrote to memory of 3040 3232 cmd.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\649816a62a2ff50cb68d0a9e5a228b3c2b5a02019e02d6239bc240467ed8c03b.exe"C:\Users\Admin\AppData\Local\Temp\649816a62a2ff50cb68d0a9e5a228b3c2b5a02019e02d6239bc240467ed8c03b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\regsvr32.exe /s "C:\ProgramData\3482\lmbd.dll"2⤵
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /s "C:\ProgramData\3482\lmbd.dll"3⤵
- Loads dropped DLL
PID:3040
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD57cb12175da81309e26bb86cd25c49540
SHA186b7de2a4a84b82ef19e0626b34edda01e46c93d
SHA2563c3c6e8eaccf40b723d6225fdfb58a29e42c8071406bf70ef427c59fae21ea85
SHA51222172711f774a1163e6b25d6c229b925f87d088c0cb494b0c827bd4c6e0d153352048739a2254ce0ea364f45c74710da13a53fa256992feb1f31861bdc8d4631
-
Filesize
92KB
MD57cb12175da81309e26bb86cd25c49540
SHA186b7de2a4a84b82ef19e0626b34edda01e46c93d
SHA2563c3c6e8eaccf40b723d6225fdfb58a29e42c8071406bf70ef427c59fae21ea85
SHA51222172711f774a1163e6b25d6c229b925f87d088c0cb494b0c827bd4c6e0d153352048739a2254ce0ea364f45c74710da13a53fa256992feb1f31861bdc8d4631