Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    101s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/01/2023, 04:09

General

  • Target

    d7eh4zQ01VMimnB34BJB.exe

  • Size

    4.8MB

  • MD5

    07b79a91bad1618cdf1828997ee09df3

  • SHA1

    d3ac31c9540edbbbbb9b815287808f47bbbd0692

  • SHA256

    5a108eb10751551eaf2fdafee5c9f05033d6d83c524dd20060a464d158cf1bfd

  • SHA512

    d8ba6f8d1f2b6baadcf7eda5c0cf59db418ae8371ec37cb11266ef9d59b0bda152775b4f416ace72de7ab2c94bf311378efbda0ae30aa2f6caf58775a057e953

  • SSDEEP

    98304:qr5z4M9qNOtHF33FJ6pO/FUSrAcD53U08RRI:eyM6OtH5FM42SsX0C

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d7eh4zQ01VMimnB34BJB.exe
    "C:\Users\Admin\AppData\Local\Temp\d7eh4zQ01VMimnB34BJB.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1260
    • C:\Users\Admin\AppData\Local\Temp\5Nzu0W0vQyufJrNWSbfM67R1iVMJCK1Hp1I.exe
      "C:\Users\Admin\AppData\Local\Temp\5Nzu0W0vQyufJrNWSbfM67R1iVMJCK1Hp1I.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /F /IM osk.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3808
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM osk.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2368
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c START osk.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4304
        • C:\Windows\system32\osk.exe
          osk.exe
          4⤵
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:3600

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\5Nzu0W0vQyufJrNWSbfM67R1iVMJCK1Hp1I.exe

    Filesize

    18.8MB

    MD5

    e0afdd2b322bb0dfcc5f8b07ee5a9cc6

    SHA1

    89cc9cbd3adca25ddbf7b8565390c7442ca652e1

    SHA256

    e5840db0ffd87083a541acea7bce39bb51171f512b5be5de16a4d9467ba1ec1e

    SHA512

    daad0491a998a68cbc799f65c0f8e2d32a8b3b3184a4357a374ccb4dede5df631916fdea870973b84262b364995980041c7bb52cb566d17738f371932fccd8dd

  • C:\Users\Admin\AppData\Local\Temp\5Nzu0W0vQyufJrNWSbfM67R1iVMJCK1Hp1I.exe

    Filesize

    18.8MB

    MD5

    e0afdd2b322bb0dfcc5f8b07ee5a9cc6

    SHA1

    89cc9cbd3adca25ddbf7b8565390c7442ca652e1

    SHA256

    e5840db0ffd87083a541acea7bce39bb51171f512b5be5de16a4d9467ba1ec1e

    SHA512

    daad0491a998a68cbc799f65c0f8e2d32a8b3b3184a4357a374ccb4dede5df631916fdea870973b84262b364995980041c7bb52cb566d17738f371932fccd8dd

  • C:\Users\Admin\AppData\Local\Temp\nQFl4M1RWRay.dll

    Filesize

    14.0MB

    MD5

    ad15f206c2545310e2a0d4b1627caa33

    SHA1

    8f1c225927f2d3c54d4a8269e917fc16b894cec8

    SHA256

    dc65e929f284fa51ba7adc8385435045ab3be4808f684cd2d6a1e499dab4b567

    SHA512

    5848c1f6f6d95cd3f0edb9e6959898500210c6138d8e2e6f0c9a2b470bb60526df4d383a67299ff2c179dab7cb8744e0b3aa9b6c73b748f6d6761b953a890aad

  • C:\Users\Admin\AppData\Local\Temp\nQFl4M1RWRay.dll

    Filesize

    14.0MB

    MD5

    ad15f206c2545310e2a0d4b1627caa33

    SHA1

    8f1c225927f2d3c54d4a8269e917fc16b894cec8

    SHA256

    dc65e929f284fa51ba7adc8385435045ab3be4808f684cd2d6a1e499dab4b567

    SHA512

    5848c1f6f6d95cd3f0edb9e6959898500210c6138d8e2e6f0c9a2b470bb60526df4d383a67299ff2c179dab7cb8744e0b3aa9b6c73b748f6d6761b953a890aad

  • memory/1260-133-0x0000000140000000-0x0000000140800000-memory.dmp

    Filesize

    8.0MB

  • memory/1260-136-0x0000000140000000-0x0000000140800000-memory.dmp

    Filesize

    8.0MB

  • memory/1260-132-0x0000000140000000-0x0000000140800000-memory.dmp

    Filesize

    8.0MB

  • memory/1812-138-0x00007FF713040000-0x00007FF71547A000-memory.dmp

    Filesize

    36.2MB

  • memory/1812-140-0x00007FF713040000-0x00007FF71547A000-memory.dmp

    Filesize

    36.2MB

  • memory/1812-147-0x00007FF713040000-0x00007FF71547A000-memory.dmp

    Filesize

    36.2MB