Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
101s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
31/01/2023, 04:09
Static task
static1
Behavioral task
behavioral1
Sample
d7eh4zQ01VMimnB34BJB.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
d7eh4zQ01VMimnB34BJB.exe
Resource
win10v2004-20221111-en
General
-
Target
d7eh4zQ01VMimnB34BJB.exe
-
Size
4.8MB
-
MD5
07b79a91bad1618cdf1828997ee09df3
-
SHA1
d3ac31c9540edbbbbb9b815287808f47bbbd0692
-
SHA256
5a108eb10751551eaf2fdafee5c9f05033d6d83c524dd20060a464d158cf1bfd
-
SHA512
d8ba6f8d1f2b6baadcf7eda5c0cf59db418ae8371ec37cb11266ef9d59b0bda152775b4f416ace72de7ab2c94bf311378efbda0ae30aa2f6caf58775a057e953
-
SSDEEP
98304:qr5z4M9qNOtHF33FJ6pO/FUSrAcD53U08RRI:eyM6OtH5FM42SsX0C
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 1812 5Nzu0W0vQyufJrNWSbfM67R1iVMJCK1Hp1I.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation d7eh4zQ01VMimnB34BJB.exe -
Loads dropped DLL 1 IoCs
pid Process 3600 osk.exe -
resource yara_rule behavioral2/files/0x000500000001e87b-145.dat themida behavioral2/files/0x000500000001e87b-146.dat themida -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1260 d7eh4zQ01VMimnB34BJB.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 2368 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1260 d7eh4zQ01VMimnB34BJB.exe 1260 d7eh4zQ01VMimnB34BJB.exe 1812 5Nzu0W0vQyufJrNWSbfM67R1iVMJCK1Hp1I.exe 1812 5Nzu0W0vQyufJrNWSbfM67R1iVMJCK1Hp1I.exe 1812 5Nzu0W0vQyufJrNWSbfM67R1iVMJCK1Hp1I.exe 1812 5Nzu0W0vQyufJrNWSbfM67R1iVMJCK1Hp1I.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1260 d7eh4zQ01VMimnB34BJB.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2368 taskkill.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 3600 osk.exe 3600 osk.exe 3600 osk.exe 3600 osk.exe 3600 osk.exe 3600 osk.exe 3600 osk.exe 3600 osk.exe 3600 osk.exe 3600 osk.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1260 wrote to memory of 1812 1260 d7eh4zQ01VMimnB34BJB.exe 85 PID 1260 wrote to memory of 1812 1260 d7eh4zQ01VMimnB34BJB.exe 85 PID 1812 wrote to memory of 3808 1812 5Nzu0W0vQyufJrNWSbfM67R1iVMJCK1Hp1I.exe 91 PID 1812 wrote to memory of 3808 1812 5Nzu0W0vQyufJrNWSbfM67R1iVMJCK1Hp1I.exe 91 PID 3808 wrote to memory of 2368 3808 cmd.exe 92 PID 3808 wrote to memory of 2368 3808 cmd.exe 92 PID 1812 wrote to memory of 4304 1812 5Nzu0W0vQyufJrNWSbfM67R1iVMJCK1Hp1I.exe 95 PID 1812 wrote to memory of 4304 1812 5Nzu0W0vQyufJrNWSbfM67R1iVMJCK1Hp1I.exe 95 PID 4304 wrote to memory of 3600 4304 cmd.exe 96 PID 4304 wrote to memory of 3600 4304 cmd.exe 96 PID 1812 wrote to memory of 3600 1812 5Nzu0W0vQyufJrNWSbfM67R1iVMJCK1Hp1I.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7eh4zQ01VMimnB34BJB.exe"C:\Users\Admin\AppData\Local\Temp\d7eh4zQ01VMimnB34BJB.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\5Nzu0W0vQyufJrNWSbfM67R1iVMJCK1Hp1I.exe"C:\Users\Admin\AppData\Local\Temp\5Nzu0W0vQyufJrNWSbfM67R1iVMJCK1Hp1I.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM osk.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\system32\taskkill.exetaskkill /F /IM osk.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c START osk.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\system32\osk.exeosk.exe4⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3600
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18.8MB
MD5e0afdd2b322bb0dfcc5f8b07ee5a9cc6
SHA189cc9cbd3adca25ddbf7b8565390c7442ca652e1
SHA256e5840db0ffd87083a541acea7bce39bb51171f512b5be5de16a4d9467ba1ec1e
SHA512daad0491a998a68cbc799f65c0f8e2d32a8b3b3184a4357a374ccb4dede5df631916fdea870973b84262b364995980041c7bb52cb566d17738f371932fccd8dd
-
Filesize
18.8MB
MD5e0afdd2b322bb0dfcc5f8b07ee5a9cc6
SHA189cc9cbd3adca25ddbf7b8565390c7442ca652e1
SHA256e5840db0ffd87083a541acea7bce39bb51171f512b5be5de16a4d9467ba1ec1e
SHA512daad0491a998a68cbc799f65c0f8e2d32a8b3b3184a4357a374ccb4dede5df631916fdea870973b84262b364995980041c7bb52cb566d17738f371932fccd8dd
-
Filesize
14.0MB
MD5ad15f206c2545310e2a0d4b1627caa33
SHA18f1c225927f2d3c54d4a8269e917fc16b894cec8
SHA256dc65e929f284fa51ba7adc8385435045ab3be4808f684cd2d6a1e499dab4b567
SHA5125848c1f6f6d95cd3f0edb9e6959898500210c6138d8e2e6f0c9a2b470bb60526df4d383a67299ff2c179dab7cb8744e0b3aa9b6c73b748f6d6761b953a890aad
-
Filesize
14.0MB
MD5ad15f206c2545310e2a0d4b1627caa33
SHA18f1c225927f2d3c54d4a8269e917fc16b894cec8
SHA256dc65e929f284fa51ba7adc8385435045ab3be4808f684cd2d6a1e499dab4b567
SHA5125848c1f6f6d95cd3f0edb9e6959898500210c6138d8e2e6f0c9a2b470bb60526df4d383a67299ff2c179dab7cb8744e0b3aa9b6c73b748f6d6761b953a890aad