Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    193s
  • max time network
    229s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2022, 16:49

General

  • Target

    cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e.exe

  • Size

    217KB

  • MD5

    b4f5bfc0ab0cc3d6b7a6b9653784de56

  • SHA1

    c5314c708dbcd5d2f76bdab8ea3848c2bc1777c9

  • SHA256

    cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e

  • SHA512

    f94b3d6f024e64fa8761a4db9dbb5c8d308752d487fb3f859ae5d22ef950ebf200787c9d491462248fedcbbd031b6c8d1c3c3c0415b0f13b2777a237b4d314e4

  • SSDEEP

    3072:D1dlKwgj23+Oz05YoNozPTQydKKQR4KQS+2YkX4NX1enJ0fVTdCqBzIwPwR/3HFX:D1dlZro5yPTQyoKjh2Yn91285dFz1mH9

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e.exe
    "C:\Users\Admin\AppData\Local\Temp\cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Hmas.doc" /o ""
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1596

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Hmas.doc

    Filesize

    109KB

    MD5

    38b3a3a2f3679d1f12dc76208aeef7d2

    SHA1

    eece72da5420c5ea8501a8273a0e1bd6fe59148b

    SHA256

    05b12df7e9ee980fcad3ce4b0dd8335578a458be4328ea895d1cb9247ee2ac30

    SHA512

    619870731a2a6bda44bf92bf035f1d8a5001fe7a6300b990a841dbedb1354487bba477c739dc7c82790ae81d0d0a6bb176f963df355b97ffebe5512c138ade72

  • memory/1596-134-0x00007FFD16230000-0x00007FFD16240000-memory.dmp

    Filesize

    64KB

  • memory/1596-136-0x00007FFD16230000-0x00007FFD16240000-memory.dmp

    Filesize

    64KB

  • memory/1596-135-0x00007FFD16230000-0x00007FFD16240000-memory.dmp

    Filesize

    64KB

  • memory/1596-137-0x00007FFD16230000-0x00007FFD16240000-memory.dmp

    Filesize

    64KB

  • memory/1596-138-0x00007FFD16230000-0x00007FFD16240000-memory.dmp

    Filesize

    64KB

  • memory/1596-139-0x00007FFD141D0000-0x00007FFD141E0000-memory.dmp

    Filesize

    64KB

  • memory/1596-140-0x00007FFD141D0000-0x00007FFD141E0000-memory.dmp

    Filesize

    64KB