Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
76s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06/03/2023, 11:36
Static task
static1
Behavioral task
behavioral1
Sample
d5e7b6fe3bb68f1da7ec111231292f02.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
d5e7b6fe3bb68f1da7ec111231292f02.exe
Resource
win10v2004-20230220-en
General
-
Target
d5e7b6fe3bb68f1da7ec111231292f02.exe
-
Size
308KB
-
MD5
d5e7b6fe3bb68f1da7ec111231292f02
-
SHA1
1e71cbeb2caba1f955219f916fce7d13c05436b6
-
SHA256
b261a7995c16bc433bd714b2830e519c40c3b8bd60ad6a6239ce27e672dc6650
-
SHA512
f9d71917272958ef2cdae91b812d7aca62ee1d0993957ae734aaa7cbdcc88792cb52614515aa8f94c176ac56ac4f89bae902c142c5e187584fe25e7a335ac2c2
-
SSDEEP
6144:bOsY+HgEiTA14Xn0Ti8v1bbFgXIQdjrfzNt1dEP3:i814Xn0Ti8tbJyIQdjrfzPEP3
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4308 1292 rundll32.exe 38 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation d5e7b6fe3bb68f1da7ec111231292f02.exe -
Loads dropped DLL 1 IoCs
pid Process 5076 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3104 5076 WerFault.exe 88 -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3060 d5e7b6fe3bb68f1da7ec111231292f02.exe 3060 d5e7b6fe3bb68f1da7ec111231292f02.exe 2524 d5e7b6fe3bb68f1da7ec111231292f02.exe 2524 d5e7b6fe3bb68f1da7ec111231292f02.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3060 wrote to memory of 2524 3060 d5e7b6fe3bb68f1da7ec111231292f02.exe 86 PID 3060 wrote to memory of 2524 3060 d5e7b6fe3bb68f1da7ec111231292f02.exe 86 PID 3060 wrote to memory of 2524 3060 d5e7b6fe3bb68f1da7ec111231292f02.exe 86 PID 4308 wrote to memory of 5076 4308 rundll32.exe 88 PID 4308 wrote to memory of 5076 4308 rundll32.exe 88 PID 4308 wrote to memory of 5076 4308 rundll32.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5e7b6fe3bb68f1da7ec111231292f02.exe"C:\Users\Admin\AppData\Local\Temp\d5e7b6fe3bb68f1da7ec111231292f02.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\d5e7b6fe3bb68f1da7ec111231292f02.exe"C:\Users\Admin\AppData\Local\Temp\d5e7b6fe3bb68f1da7ec111231292f02.exe" -h2⤵
- Suspicious use of SetWindowsHookEx
PID:2524
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open2⤵
- Loads dropped DLL
PID:5076 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 6003⤵
- Program crash
PID:3104
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5076 -ip 50761⤵PID:1168
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
557KB
MD5d8fdf3094adfa6cd96ad85cb3b1c0888
SHA1e1ff8d0d9d04b6da1c78fa2eeb002f89e1c217ef
SHA256234b037565a89b5d3cdabb963390b84bbfb23f68de1d7a940d250c13d6eb2087
SHA512a55f0f2a2bc7182c639de20bcafab8ad71416665b3e9f24276d55a03312f0a0014ff12916a08f42edbfd8f58b2bc59e01010271bed028c2c67cce97535af6a94
-
Filesize
52KB
MD51b20e998d058e813dfc515867d31124f
SHA1c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f
SHA25624a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00
SHA51279849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6
-
Filesize
52KB
MD51b20e998d058e813dfc515867d31124f
SHA1c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f
SHA25624a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00
SHA51279849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6