Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
186s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
12/02/2023, 19:42
Static task
static1
Behavioral task
behavioral1
Sample
bb946145a3856aa548b4e17d1cf9a4450b81b4e83a832554aefd5747834fa3ff.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
bb946145a3856aa548b4e17d1cf9a4450b81b4e83a832554aefd5747834fa3ff.exe
Resource
win10v2004-20221111-en
General
-
Target
bb946145a3856aa548b4e17d1cf9a4450b81b4e83a832554aefd5747834fa3ff.exe
-
Size
72KB
-
MD5
96ef8afa042404331636def662c83a9e
-
SHA1
578bc3973848495df63015d2b4d4ec9156ae2776
-
SHA256
bb946145a3856aa548b4e17d1cf9a4450b81b4e83a832554aefd5747834fa3ff
-
SHA512
c2db17a51c007acbf8c033177862a5d08e0e0e5001810c1ac4ebecb7c7124f515247453ee4188d6ded9ac71be5313eb87aaa72a7c663789777caf79bcf1468b0
-
SSDEEP
384:nkNX5/j1/XiLSajU+322qiWspNdRA1E/VuXP3QAZx31zTm31CuU/S0Q+duWx/3:kNpJ/X8jU+mNwOKVMgAZxlEU/Sg3
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation bb946145a3856aa548b4e17d1cf9a4450b81b4e83a832554aefd5747834fa3ff.exe -
Executes dropped EXE 1 IoCs
pid Process 4952 test.exe -
resource yara_rule behavioral2/files/0x000a000000022e32-133.dat upx behavioral2/files/0x000a000000022e32-134.dat upx behavioral2/memory/4952-135-0x0000000000B20000-0x0000000000B60000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\gpedit.msc mmc.exe File opened for modification C:\Windows\System32\GroupPolicy mmc.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini mmc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe 4952 test.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4656 mmc.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 4656 mmc.exe Token: SeIncBasePriorityPrivilege 4656 mmc.exe Token: 33 4656 mmc.exe Token: SeIncBasePriorityPrivilege 4656 mmc.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3916 bb946145a3856aa548b4e17d1cf9a4450b81b4e83a832554aefd5747834fa3ff.exe 4656 mmc.exe 4656 mmc.exe 4656 mmc.exe 4656 mmc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3916 wrote to memory of 4952 3916 bb946145a3856aa548b4e17d1cf9a4450b81b4e83a832554aefd5747834fa3ff.exe 81 PID 3916 wrote to memory of 4952 3916 bb946145a3856aa548b4e17d1cf9a4450b81b4e83a832554aefd5747834fa3ff.exe 81 PID 3916 wrote to memory of 4952 3916 bb946145a3856aa548b4e17d1cf9a4450b81b4e83a832554aefd5747834fa3ff.exe 81 PID 4952 wrote to memory of 1232 4952 test.exe 84 PID 4952 wrote to memory of 1232 4952 test.exe 84 PID 4952 wrote to memory of 1232 4952 test.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb946145a3856aa548b4e17d1cf9a4450b81b4e83a832554aefd5747834fa3ff.exe"C:\Users\Admin\AppData\Local\Temp\bb946145a3856aa548b4e17d1cf9a4450b81b4e83a832554aefd5747834fa3ff.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\ProgramData\homo\test.exe"C:\ProgramData\homo\test.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\cmd.execmd /c start C:\ProgramData\1145143⤵
- Modifies registry class
PID:1232
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1540
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\gpedit.msc"1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4656
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
103KB
MD5fff506076c8b3e5a0947dacd74ab9c09
SHA1596a13421230a19d8ba704466085cac455ad6004
SHA256bd213f8096c5067ee562d087ee4c70f47a5d3f4f6eacd9e570ee7de91e4c58a7
SHA51267c0a44022b16f20b6584a973d571b2780d0dd31dcfefc5cebea55d68c1690d5ffc6d5eef66f32000a073ca5a9b54e971a1f7a37b7d1502bfd5637c6939d133a
-
Filesize
103KB
MD5fff506076c8b3e5a0947dacd74ab9c09
SHA1596a13421230a19d8ba704466085cac455ad6004
SHA256bd213f8096c5067ee562d087ee4c70f47a5d3f4f6eacd9e570ee7de91e4c58a7
SHA51267c0a44022b16f20b6584a973d571b2780d0dd31dcfefc5cebea55d68c1690d5ffc6d5eef66f32000a073ca5a9b54e971a1f7a37b7d1502bfd5637c6939d133a