Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2023, 23:31
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20230220-en
General
-
Target
tmp.exe
-
Size
1.5MB
-
MD5
2180de6314fce94a9ebcf8483959b322
-
SHA1
1fbef557fb3a2d61c05f8e9cc28ac7e67ea34f8a
-
SHA256
2fc4d0a9297bb0408dfb59f2e9c1378f7650bdc4dda664e1c78e34c496684805
-
SHA512
d1161301362d5edfe44092e0d65109944a350714214c9add50954fa2d39b128741721a494811bcda24960228a6e4e9e63f7afc233104c286c89d54fce496312d
-
SSDEEP
24576:5OtT5xvEebZXz/C7Mtkq3GjABGgqgDHYEr9uW4YuPsDOdqvzHnHXh5F:5OtT/bZj4Mtp3GjAYgd3e3UPF
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation tmp.exe -
Loads dropped DLL 4 IoCs
pid Process 3012 rundll32.exe 3012 rundll32.exe 1656 rundll32.exe 1656 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings tmp.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 972 wrote to memory of 1968 972 tmp.exe 85 PID 972 wrote to memory of 1968 972 tmp.exe 85 PID 972 wrote to memory of 1968 972 tmp.exe 85 PID 1968 wrote to memory of 3012 1968 control.exe 87 PID 1968 wrote to memory of 3012 1968 control.exe 87 PID 1968 wrote to memory of 3012 1968 control.exe 87 PID 3012 wrote to memory of 736 3012 rundll32.exe 91 PID 3012 wrote to memory of 736 3012 rundll32.exe 91 PID 736 wrote to memory of 1656 736 RunDll32.exe 92 PID 736 wrote to memory of 1656 736 RunDll32.exe 92 PID 736 wrote to memory of 1656 736 RunDll32.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\lL~U.cPL",2⤵
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\lL~U.cPL",3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\lL~U.cPL",4⤵
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\lL~U.cPL",5⤵
- Loads dropped DLL
PID:1656
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5cf47aab02e9b37dfdbb63bee771e0370
SHA1e21792f126339ce2c489625c7257efde247b23de
SHA25639da3b85aee28bda8901e56346dc1d07e1a34610a3825c58a8edcee8a05f0150
SHA512d981befd4934fa6f0c8e49378ef8ffecb57d1c2d950f69cc59a6d958aaaf7ed23df215853d86a0fd92748bfbaf4752d2f5d04430e870591b3ec43e4a1da55ce4
-
Filesize
1.3MB
MD5cf47aab02e9b37dfdbb63bee771e0370
SHA1e21792f126339ce2c489625c7257efde247b23de
SHA25639da3b85aee28bda8901e56346dc1d07e1a34610a3825c58a8edcee8a05f0150
SHA512d981befd4934fa6f0c8e49378ef8ffecb57d1c2d950f69cc59a6d958aaaf7ed23df215853d86a0fd92748bfbaf4752d2f5d04430e870591b3ec43e4a1da55ce4
-
Filesize
1.3MB
MD5cf47aab02e9b37dfdbb63bee771e0370
SHA1e21792f126339ce2c489625c7257efde247b23de
SHA25639da3b85aee28bda8901e56346dc1d07e1a34610a3825c58a8edcee8a05f0150
SHA512d981befd4934fa6f0c8e49378ef8ffecb57d1c2d950f69cc59a6d958aaaf7ed23df215853d86a0fd92748bfbaf4752d2f5d04430e870591b3ec43e4a1da55ce4
-
Filesize
1.3MB
MD5cf47aab02e9b37dfdbb63bee771e0370
SHA1e21792f126339ce2c489625c7257efde247b23de
SHA25639da3b85aee28bda8901e56346dc1d07e1a34610a3825c58a8edcee8a05f0150
SHA512d981befd4934fa6f0c8e49378ef8ffecb57d1c2d950f69cc59a6d958aaaf7ed23df215853d86a0fd92748bfbaf4752d2f5d04430e870591b3ec43e4a1da55ce4
-
Filesize
1.3MB
MD5cf47aab02e9b37dfdbb63bee771e0370
SHA1e21792f126339ce2c489625c7257efde247b23de
SHA25639da3b85aee28bda8901e56346dc1d07e1a34610a3825c58a8edcee8a05f0150
SHA512d981befd4934fa6f0c8e49378ef8ffecb57d1c2d950f69cc59a6d958aaaf7ed23df215853d86a0fd92748bfbaf4752d2f5d04430e870591b3ec43e4a1da55ce4
-
Filesize
1.3MB
MD5cf47aab02e9b37dfdbb63bee771e0370
SHA1e21792f126339ce2c489625c7257efde247b23de
SHA25639da3b85aee28bda8901e56346dc1d07e1a34610a3825c58a8edcee8a05f0150
SHA512d981befd4934fa6f0c8e49378ef8ffecb57d1c2d950f69cc59a6d958aaaf7ed23df215853d86a0fd92748bfbaf4752d2f5d04430e870591b3ec43e4a1da55ce4