Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    70s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2022, 13:01

General

  • Target

    304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe

  • Size

    184KB

  • MD5

    4d36e000b64bf076db39a16e2ed6fcdf

  • SHA1

    325887bf4aa370235e6e2ae34faddf56d6143643

  • SHA256

    304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5

  • SHA512

    205cd35991fc2535ddf618c80ab30abaf1bde509007480ecd77cee5eb941e624ba6b92d5e67fe8e40962d4635181e692cb4f0edcc31c3f2bfa06f7e120209795

  • SSDEEP

    3072:9ydJq5oyVzs+h0JI5J0SpUldLS3lgGBd/AkKHBRQ/rPOy9xnnHsGvPwsAvWDA:4W2+tUnoC2/ALhyzpsGvPw6k

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe
    "C:\Users\Admin\AppData\Local\Temp\304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3440
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OFFICE~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OFFICE~1.EXE
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4720
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\SaveOffice.cmd" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3400
        • C:\Windows\SysWOW64\reg.exe
          reg save HKLM\SOFTWARE c:\OfficeRegBak.hiv
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2996

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OFFICE~1.EXE

    Filesize

    86KB

    MD5

    216ecd0bfdbc552f593f05b9ebe5dbfa

    SHA1

    fe6bb61411801f1a62e133d994455083c5b99820

    SHA256

    96ad52c7bd0add41eef200fbb913d9f79af79357fe6d30214bb1b74a37c8a49b

    SHA512

    da6f0b775c54358f79b5c13f2faf0211841dce41b80c5eacee7402c3af87d60fea6dd79f404947210fd4ab55b0af4baad731397e9f9d45a4e8c0ea07028358bb

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OFFICE~1.EXE

    Filesize

    86KB

    MD5

    216ecd0bfdbc552f593f05b9ebe5dbfa

    SHA1

    fe6bb61411801f1a62e133d994455083c5b99820

    SHA256

    96ad52c7bd0add41eef200fbb913d9f79af79357fe6d30214bb1b74a37c8a49b

    SHA512

    da6f0b775c54358f79b5c13f2faf0211841dce41b80c5eacee7402c3af87d60fea6dd79f404947210fd4ab55b0af4baad731397e9f9d45a4e8c0ea07028358bb

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\SaveOffice.cmd

    Filesize

    981B

    MD5

    b8f78830dd1782e12b8807aea7384ac2

    SHA1

    bee8e85498a0e0add628bda558dfe652554e0ec4

    SHA256

    c374fabdfe02c9434af163e230d88c34387a461efb6fe251f602a45766dfba35

    SHA512

    3799f6d162bdfc01bad49b22490387c8c71c36bf163bca22748b47e5a48c7b9e4b46c40f94246b08368a972e0ade4c6af0b59a681aeb3f77640fdc7e1d01f4fa

  • memory/4720-135-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/4720-136-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB