Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
79s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05/03/2023, 08:53
Static task
static1
Behavioral task
behavioral1
Sample
ff5d82a6d7bea3cfebcf0749fece3bbbccb0d82e96bc5c43e86195fbf551a33e.exe
Resource
win10v2004-20230220-en
General
-
Target
ff5d82a6d7bea3cfebcf0749fece3bbbccb0d82e96bc5c43e86195fbf551a33e.exe
-
Size
1.8MB
-
MD5
4718b5fd089008b96c5d22b11817cbe3
-
SHA1
8aba85b5356f33c9219484de6351b0a3c266a092
-
SHA256
ff5d82a6d7bea3cfebcf0749fece3bbbccb0d82e96bc5c43e86195fbf551a33e
-
SHA512
f6e95f9f3ce776fd2c988a756e80afa7286fe2b48fc943d27953382e42740c3702510fe80d11d4c4f25790d34ed8dc19c6cc7976edf3f2a46dedd5f989d2cee6
-
SSDEEP
49152:8VORjZhBfJXAE9iI7NNpj5aDqYnnzdCochYW:cORjZhBfKEEI7Nfj5aDqYnpCoO
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation ff5d82a6d7bea3cfebcf0749fece3bbbccb0d82e96bc5c43e86195fbf551a33e.exe -
Loads dropped DLL 2 IoCs
pid Process 3296 rundll32.exe 4944 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1752 wrote to memory of 2836 1752 ff5d82a6d7bea3cfebcf0749fece3bbbccb0d82e96bc5c43e86195fbf551a33e.exe 86 PID 1752 wrote to memory of 2836 1752 ff5d82a6d7bea3cfebcf0749fece3bbbccb0d82e96bc5c43e86195fbf551a33e.exe 86 PID 1752 wrote to memory of 2836 1752 ff5d82a6d7bea3cfebcf0749fece3bbbccb0d82e96bc5c43e86195fbf551a33e.exe 86 PID 2836 wrote to memory of 3296 2836 control.exe 87 PID 2836 wrote to memory of 3296 2836 control.exe 87 PID 2836 wrote to memory of 3296 2836 control.exe 87 PID 3296 wrote to memory of 4908 3296 rundll32.exe 90 PID 3296 wrote to memory of 4908 3296 rundll32.exe 90 PID 4908 wrote to memory of 4944 4908 RunDll32.exe 91 PID 4908 wrote to memory of 4944 4908 RunDll32.exe 91 PID 4908 wrote to memory of 4944 4908 RunDll32.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff5d82a6d7bea3cfebcf0749fece3bbbccb0d82e96bc5c43e86195fbf551a33e.exe"C:\Users\Admin\AppData\Local\Temp\ff5d82a6d7bea3cfebcf0749fece3bbbccb0d82e96bc5c43e86195fbf551a33e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" .\IWRMx.F62⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\IWRMx.F63⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\IWRMx.F64⤵
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\IWRMx.F65⤵
- Loads dropped DLL
PID:4944
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5552eb8d0486409138352887f1c573684
SHA19c1756984b20beae6447aaad116b7e5f998aa861
SHA256935615218c92829eb553a3e2ec13607d0feaf2d4a7e4e9cf93eaa8fc4b01edc2
SHA512cbf9700b321483b7ad31dbca3a3a194283ee96a193c699c0fa07b9d0682f5ac223b642db0e0ad5069b35a0fb850340a5f634944f8b1ca78db776b342e16950e9
-
Filesize
1.2MB
MD5552eb8d0486409138352887f1c573684
SHA19c1756984b20beae6447aaad116b7e5f998aa861
SHA256935615218c92829eb553a3e2ec13607d0feaf2d4a7e4e9cf93eaa8fc4b01edc2
SHA512cbf9700b321483b7ad31dbca3a3a194283ee96a193c699c0fa07b9d0682f5ac223b642db0e0ad5069b35a0fb850340a5f634944f8b1ca78db776b342e16950e9
-
Filesize
1.2MB
MD5552eb8d0486409138352887f1c573684
SHA19c1756984b20beae6447aaad116b7e5f998aa861
SHA256935615218c92829eb553a3e2ec13607d0feaf2d4a7e4e9cf93eaa8fc4b01edc2
SHA512cbf9700b321483b7ad31dbca3a3a194283ee96a193c699c0fa07b9d0682f5ac223b642db0e0ad5069b35a0fb850340a5f634944f8b1ca78db776b342e16950e9