Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    152s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2022, 20:15

General

  • Target

    c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe

  • Size

    21KB

  • MD5

    94a08d6a616405f1decec3176835d6ce

  • SHA1

    d254b68e976e7c3a592a6867d14b71c1a77c7977

  • SHA256

    c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4

  • SHA512

    fc6562eac2ee059de6e2feef64705bc906bbb0c5477ae984732b8a9e9537081423706af459498e6c37c96ddcd44d5296356d2569170c093f9360451bcc995b0c

  • SSDEEP

    384:UswN2+n8MQDzLg4US6pQR7HO21CkGbQ1lusU:S2+yDPg4MpQZugGk1lusU

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe
    "C:\Users\Admin\AppData\Local\Temp\c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\temp.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1712

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\temp.txt

    Filesize

    50B

    MD5

    a3678cf79c4f149e59c6c75c1c6f6821

    SHA1

    0239522d74d7516e13e740e8aed22630325a09ce

    SHA256

    1a245348548efbd1b61b54da0c068c8dddfeb3b7c5971b617352012f5cc778f6

    SHA512

    73fbc895f89fffedb9f2d87aa0fa1fc238ecb5c5c5d00ef828f2d1861407513b8847dedc96b56e0ef9657ec370f968af3f53cf665597ad071509776c1d7a21c6