Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
202s -
max time network
210s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2022, 16:27
Static task
static1
Behavioral task
behavioral1
Sample
ed82f1d8ccaba6adaf7627bd0ea139a71dfd2f8d7313bd5ef2dfd709c72c90f9.exe
Resource
win7-20220812-en
General
-
Target
ed82f1d8ccaba6adaf7627bd0ea139a71dfd2f8d7313bd5ef2dfd709c72c90f9.exe
-
Size
107KB
-
MD5
24e35fda77b32fca7645b5f5b08a753d
-
SHA1
8d3eae011efec4fc301635facbdbf13d9cd4e1ad
-
SHA256
ed82f1d8ccaba6adaf7627bd0ea139a71dfd2f8d7313bd5ef2dfd709c72c90f9
-
SHA512
3c097c477c93686b9f72801a42f60201514a7c0a8da1520dfc9b520f8cf5e91291b952558761d4794164339bd81cf05d2f2bad53ea28e7823d589fda9b67fecb
-
SSDEEP
3072:q+ZLGuZ4IXX0dt9KK0XRnBGD8socz9bedWuDWBF0:q+ouZ4MWt9KK6nyoc1pa
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation ed82f1d8ccaba6adaf7627bd0ea139a71dfd2f8d7313bd5ef2dfd709c72c90f9.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 812 set thread context of 1788 812 ed82f1d8ccaba6adaf7627bd0ea139a71dfd2f8d7313bd5ef2dfd709c72c90f9.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
pid Process 4340 timeout.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 812 wrote to memory of 1788 812 ed82f1d8ccaba6adaf7627bd0ea139a71dfd2f8d7313bd5ef2dfd709c72c90f9.exe 84 PID 812 wrote to memory of 1788 812 ed82f1d8ccaba6adaf7627bd0ea139a71dfd2f8d7313bd5ef2dfd709c72c90f9.exe 84 PID 812 wrote to memory of 1788 812 ed82f1d8ccaba6adaf7627bd0ea139a71dfd2f8d7313bd5ef2dfd709c72c90f9.exe 84 PID 812 wrote to memory of 1788 812 ed82f1d8ccaba6adaf7627bd0ea139a71dfd2f8d7313bd5ef2dfd709c72c90f9.exe 84 PID 812 wrote to memory of 1788 812 ed82f1d8ccaba6adaf7627bd0ea139a71dfd2f8d7313bd5ef2dfd709c72c90f9.exe 84 PID 1788 wrote to memory of 2788 1788 ed82f1d8ccaba6adaf7627bd0ea139a71dfd2f8d7313bd5ef2dfd709c72c90f9.exe 89 PID 1788 wrote to memory of 2788 1788 ed82f1d8ccaba6adaf7627bd0ea139a71dfd2f8d7313bd5ef2dfd709c72c90f9.exe 89 PID 1788 wrote to memory of 2788 1788 ed82f1d8ccaba6adaf7627bd0ea139a71dfd2f8d7313bd5ef2dfd709c72c90f9.exe 89 PID 2788 wrote to memory of 4340 2788 cmd.exe 91 PID 2788 wrote to memory of 4340 2788 cmd.exe 91 PID 2788 wrote to memory of 4340 2788 cmd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed82f1d8ccaba6adaf7627bd0ea139a71dfd2f8d7313bd5ef2dfd709c72c90f9.exe"C:\Users\Admin\AppData\Local\Temp\ed82f1d8ccaba6adaf7627bd0ea139a71dfd2f8d7313bd5ef2dfd709c72c90f9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Users\Admin\AppData\Local\Temp\ed82f1d8ccaba6adaf7627bd0ea139a71dfd2f8d7313bd5ef2dfd709c72c90f9.exeC:\Users\Admin\AppData\Local\Temp\ed82f1d8ccaba6adaf7627bd0ea139a71dfd2f8d7313bd5ef2dfd709c72c90f9.exe2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\ED82F1~1.EXE3⤵
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\timeout.exetimeout 54⤵
- Delays execution with timeout.exe
PID:4340
-
-
-