Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2022, 11:31
Static task
static1
Behavioral task
behavioral1
Sample
a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe
Resource
win10v2004-20220812-en
General
-
Target
a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe
-
Size
52KB
-
MD5
f3bb66276e7ac3a94edc1a9a9ca53c37
-
SHA1
e2f6fec017026e5563398fb8495ce646868e302b
-
SHA256
a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde
-
SHA512
9cd768523c75074fa4b4b4f99d1548c160a7f5fb87d20b28043e5bb4cca9ab4496aa0ed643b6f12c6f75b59565df4bda8fd9c7fd5e28a7d9327384447f5b58d8
-
SSDEEP
768:GSnjtx4xj1NVf84XWWJtvdvpofMB9pXJXHMXxTIeRtYU7:1ExRrft3CaBsBTIefR7
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 5020 winlogon.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\winlogon.exe" winlogon.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\winlogon.exe" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run winlogon.exe -
Drops autorun.inf file 1 TTPs 26 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\H:\autorun.inf winlogon.exe File opened for modification \??\K:\autorun.inf winlogon.exe File opened for modification \??\W:\autorun.inf winlogon.exe File opened for modification \??\B:\autorun.inf winlogon.exe File opened for modification \??\E:\autorun.inf winlogon.exe File opened for modification \??\I:\autorun.inf winlogon.exe File opened for modification \??\L:\autorun.inf winlogon.exe File opened for modification \??\M:\autorun.inf winlogon.exe File opened for modification \??\P:\autorun.inf winlogon.exe File opened for modification \??\Q:\autorun.inf winlogon.exe File opened for modification \??\U:\autorun.inf winlogon.exe File opened for modification \??\A:\autorun.inf winlogon.exe File opened for modification \??\Z:\autorun.inf winlogon.exe File opened for modification D:\autorun.inf winlogon.exe File opened for modification \??\G:\autorun.inf winlogon.exe File opened for modification \??\T:\autorun.inf winlogon.exe File opened for modification \??\X:\autorun.inf winlogon.exe File opened for modification \??\Y:\autorun.inf winlogon.exe File opened for modification C:\autorun.inf winlogon.exe File opened for modification \??\J:\autorun.inf winlogon.exe File opened for modification \??\N:\autorun.inf winlogon.exe File opened for modification \??\O:\autorun.inf winlogon.exe File opened for modification \??\R:\autorun.inf winlogon.exe File opened for modification \??\S:\autorun.inf winlogon.exe File opened for modification \??\V:\autorun.inf winlogon.exe File opened for modification \??\F:\autorun.inf winlogon.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\winlogon.exe a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe File opened for modification C:\Windows\winlogon.exe a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe File created C:\Windows\winlogon.exe winlogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe 5020 winlogon.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4364 a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe 4364 a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe 5020 winlogon.exe 5020 winlogon.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4364 wrote to memory of 5020 4364 a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe 78 PID 4364 wrote to memory of 5020 4364 a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe 78 PID 4364 wrote to memory of 5020 4364 a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe"C:\Users\Admin\AppData\Local\Temp\a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\winlogon.exe"C:\Windows\winlogon.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5020
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD5f3bb66276e7ac3a94edc1a9a9ca53c37
SHA1e2f6fec017026e5563398fb8495ce646868e302b
SHA256a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde
SHA5129cd768523c75074fa4b4b4f99d1548c160a7f5fb87d20b28043e5bb4cca9ab4496aa0ed643b6f12c6f75b59565df4bda8fd9c7fd5e28a7d9327384447f5b58d8
-
Filesize
52KB
MD5f3bb66276e7ac3a94edc1a9a9ca53c37
SHA1e2f6fec017026e5563398fb8495ce646868e302b
SHA256a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde
SHA5129cd768523c75074fa4b4b4f99d1548c160a7f5fb87d20b28043e5bb4cca9ab4496aa0ed643b6f12c6f75b59565df4bda8fd9c7fd5e28a7d9327384447f5b58d8