Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2022, 20:02
Static task
static1
Behavioral task
behavioral1
Sample
0914ac0453f0ee9670f26eb85be540235091c9dd26719f34cc861aca8c15bd4d.exe
Resource
win10v2004-20220812-en
General
-
Target
0914ac0453f0ee9670f26eb85be540235091c9dd26719f34cc861aca8c15bd4d.exe
-
Size
1.5MB
-
MD5
5c7f0056223c7ea15e33015c2e8d03b9
-
SHA1
1c59ee747c47601f898265fd1936a591b7859b97
-
SHA256
0914ac0453f0ee9670f26eb85be540235091c9dd26719f34cc861aca8c15bd4d
-
SHA512
9ab22b48c2c8680b62ecc23307501288f5b6eddc488ff348f53a240e9829cab1b3b0a0c463c43857064028eed47d677429a172aee22458f02168ae4fc801e5e8
-
SSDEEP
24576:VJr8tEZgHqPxDQ6mJ4knfK+SnI9rTkp68olJxoXubBolvJKokXmdQbjI99DKdA:VJ4oPK6mtnCzIVTkQ8gJBbBG4lXI9Me
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 0914ac0453f0ee9670f26eb85be540235091c9dd26719f34cc861aca8c15bd4d.exe -
Loads dropped DLL 2 IoCs
pid Process 1604 regsvr32.exe 1604 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1944 wrote to memory of 1604 1944 0914ac0453f0ee9670f26eb85be540235091c9dd26719f34cc861aca8c15bd4d.exe 82 PID 1944 wrote to memory of 1604 1944 0914ac0453f0ee9670f26eb85be540235091c9dd26719f34cc861aca8c15bd4d.exe 82 PID 1944 wrote to memory of 1604 1944 0914ac0453f0ee9670f26eb85be540235091c9dd26719f34cc861aca8c15bd4d.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\0914ac0453f0ee9670f26eb85be540235091c9dd26719f34cc861aca8c15bd4d.exe"C:\Users\Admin\AppData\Local\Temp\0914ac0453f0ee9670f26eb85be540235091c9dd26719f34cc861aca8c15bd4d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" -U .\p6MkCCb5.hP /S2⤵
- Loads dropped DLL
PID:1604
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5499d8083cd1ec07d5f9a4a692223bc51
SHA1afdcba7842d8194928c2bdfb945f5ad7d8226212
SHA25689aea267d342284b8bbbd67ec8c16b95f60e5122627f07184b9291946ece1f50
SHA512fa24f4647a1011862c8198d4b6a5c73abb739656d5ae3a0fb068717370ec564f32cb2aa6bb304bc81589a26cc149cb2f887481dc36ad074896d0f6799f086a2c
-
Filesize
2.7MB
MD5499d8083cd1ec07d5f9a4a692223bc51
SHA1afdcba7842d8194928c2bdfb945f5ad7d8226212
SHA25689aea267d342284b8bbbd67ec8c16b95f60e5122627f07184b9291946ece1f50
SHA512fa24f4647a1011862c8198d4b6a5c73abb739656d5ae3a0fb068717370ec564f32cb2aa6bb304bc81589a26cc149cb2f887481dc36ad074896d0f6799f086a2c
-
Filesize
2.7MB
MD5499d8083cd1ec07d5f9a4a692223bc51
SHA1afdcba7842d8194928c2bdfb945f5ad7d8226212
SHA25689aea267d342284b8bbbd67ec8c16b95f60e5122627f07184b9291946ece1f50
SHA512fa24f4647a1011862c8198d4b6a5c73abb739656d5ae3a0fb068717370ec564f32cb2aa6bb304bc81589a26cc149cb2f887481dc36ad074896d0f6799f086a2c