Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

fe2b61dd86...11.exe

windows7-x64

8

fe2b61dd86...11.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2022, 23:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fe2b61dd86bf64fe084a50831ba01211c52ec6fdc77d5a5e6931b25a25c64e11.exe

  • Size

    1.1MB

  • MD5

    2f969320b014a432edea0a2c25f7030b

  • SHA1

    1dcaecad9a65d61486e10e4871692cad1aa2a92e

  • SHA256

    fe2b61dd86bf64fe084a50831ba01211c52ec6fdc77d5a5e6931b25a25c64e11

  • SHA512

    87919f3f635103993333a9bce3adbae366b7695e732b1e9c78268a61a0f900be87ffb756e04a5638e889247a1b2a58c7bbc4e790d8aef6005476208a27e2cf1b

  • SSDEEP

    12288:kCSPzc2+LuQf/tYBdm2fIpjEhWVETVcDmx1yo:VJt1TVd2omXyo

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies AppInit DLL entries 2 TTPs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe2b61dd86bf64fe084a50831ba01211c52ec6fdc77d5a5e6931b25a25c64e11.exe
    "C:\Users\Admin\AppData\Local\Temp\fe2b61dd86bf64fe084a50831ba01211c52ec6fdc77d5a5e6931b25a25c64e11.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2500
    • C:\Windows\SysWOW64\advhost.exe
      "C:\Windows\system32\advhost.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2248
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
    1⤵
      PID:4220

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\adlaunch32.dll
      Filesize

      84KB

      MD5

      b6e20a48eefd44b2e597fc93b40d7aeb

      SHA1

      b1234fafe04bad83896304c862b19f15d52c5b72

      SHA256

      5f37bea07a0438cf5564e22ffca3650e6bebc26c1a78da39fc188195b619f2bb

      SHA512

      ab34ccf43d378d3e1110195320d601ec370fd2bda777ba9e4c6aadbbdaf5ec4b437237fd24602b3815e30e62727e3cc5007fce045218e402804beffb9a1bfe5a

      Download Submit

    • C:\Windows\SysWOW64\adlaunch32.dll
      Filesize

      84KB

      MD5

      b6e20a48eefd44b2e597fc93b40d7aeb

      SHA1

      b1234fafe04bad83896304c862b19f15d52c5b72

      SHA256

      5f37bea07a0438cf5564e22ffca3650e6bebc26c1a78da39fc188195b619f2bb

      SHA512

      ab34ccf43d378d3e1110195320d601ec370fd2bda777ba9e4c6aadbbdaf5ec4b437237fd24602b3815e30e62727e3cc5007fce045218e402804beffb9a1bfe5a

      Download Submit

    • C:\Windows\SysWOW64\advhost.exe
      Filesize

      968KB

      MD5

      c88644da84be1519255c33217790e26e

      SHA1

      3949500b0b2a7eba04b67adec41d477b1264ed73

      SHA256

      4a277ec7db1f5aabc782c6c3f27b0b619c46d519359330a965863c24dbdeef33

      SHA512

      3cc4bd92f1535f875a3acbc7507ee69d93f3f4ff88de235ef8c24c0337df4f99603aec746b9681da738fffe6265fdd439312177265905ba849cafc1320539167

      Download Submit

    • C:\Windows\SysWOW64\advhost.exe
      Filesize

      968KB

      MD5

      c88644da84be1519255c33217790e26e

      SHA1

      3949500b0b2a7eba04b67adec41d477b1264ed73

      SHA256

      4a277ec7db1f5aabc782c6c3f27b0b619c46d519359330a965863c24dbdeef33

      SHA512

      3cc4bd92f1535f875a3acbc7507ee69d93f3f4ff88de235ef8c24c0337df4f99603aec746b9681da738fffe6265fdd439312177265905ba849cafc1320539167

      Download Submit