Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    323s
  • max time network
    379s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/12/2022, 03:43

General

  • Target

    c847148c9227c7418626010bda0b1a981fdd00c26fa454fb8853954a5784e168.exe

  • Size

    184KB

  • MD5

    c0d91cc078eb147bf24568025917fe7e

  • SHA1

    12ceed7587fa48f3b3393f75819ce96b65061b1b

  • SHA256

    c847148c9227c7418626010bda0b1a981fdd00c26fa454fb8853954a5784e168

  • SHA512

    f668a57fcb3bd89ed0bd986053481633af79534dd7b22c70e28660cd571ee64e210dad61d4d1cd0ddefcc163783ca4810f7a769a07c3f579d0c8cd64020763b9

  • SSDEEP

    3072:9KjcvoYCsck6HR1kT+SCBT2KD0gwcJ1USgyavhmVizMpb0yv8+Tb:9NwsckgH++SCNvFwcJ1USgya5Y6MpbYc

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 27 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c847148c9227c7418626010bda0b1a981fdd00c26fa454fb8853954a5784e168.exe
    "C:\Users\Admin\AppData\Local\Temp\c847148c9227c7418626010bda0b1a981fdd00c26fa454fb8853954a5784e168.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3128
    • C:\Users\Admin\nonam.exe
      "C:\Users\Admin\nonam.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4524

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\nonam.exe

    Filesize

    184KB

    MD5

    75a6d75227032ecf3f1d7e060a6941bc

    SHA1

    8ce727e17ab870d14ed1761391343155012b9b62

    SHA256

    9bd63339d87b0d402a27dcb1387af41b888a82426917a8fd50179eef5390f5db

    SHA512

    f945f0642a9055ae9e1627dbb2b1e136fc9c22be74cad97297c4f0911bd97c4408b9b3d02923c4498b16acffe5ac9b6a582010ec5f8dd1c99d1055b9a45ba5ab

  • C:\Users\Admin\nonam.exe

    Filesize

    184KB

    MD5

    75a6d75227032ecf3f1d7e060a6941bc

    SHA1

    8ce727e17ab870d14ed1761391343155012b9b62

    SHA256

    9bd63339d87b0d402a27dcb1387af41b888a82426917a8fd50179eef5390f5db

    SHA512

    f945f0642a9055ae9e1627dbb2b1e136fc9c22be74cad97297c4f0911bd97c4408b9b3d02923c4498b16acffe5ac9b6a582010ec5f8dd1c99d1055b9a45ba5ab