Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
100s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
09/03/2023, 01:30
Static task
static1
Behavioral task
behavioral1
Sample
a1c5f268d670ba3a4440647bdeaa3e20.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
a1c5f268d670ba3a4440647bdeaa3e20.exe
Resource
win10v2004-20230220-en
General
-
Target
a1c5f268d670ba3a4440647bdeaa3e20.exe
-
Size
308KB
-
MD5
a1c5f268d670ba3a4440647bdeaa3e20
-
SHA1
e79227b1a17dc76882f9eef1d65eb7588cce21a4
-
SHA256
1868f0807fb9ad9be1629bc214b755ede9937036622ef31ae877617aba840080
-
SHA512
7d43dd7edf54e5853eeea1636e3d05b7880f420d3cfdefc133e53287bb6814ac17921603922ac6c469540564a04d7a6504da5e79d711faff4148b0e7f68c2527
-
SSDEEP
6144:bOsY+HgEiTA14Xn0Ti8v1bbFgXIQdjrfzNt1zEP3:i814Xn0Ti8tbJyIQdjrfzBEP3
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1524 4508 rundll32.exe 55 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation a1c5f268d670ba3a4440647bdeaa3e20.exe -
Loads dropped DLL 1 IoCs
pid Process 4444 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 388 4444 WerFault.exe 88 -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 14 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3796 a1c5f268d670ba3a4440647bdeaa3e20.exe 3796 a1c5f268d670ba3a4440647bdeaa3e20.exe 4668 a1c5f268d670ba3a4440647bdeaa3e20.exe 4668 a1c5f268d670ba3a4440647bdeaa3e20.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3796 wrote to memory of 4668 3796 a1c5f268d670ba3a4440647bdeaa3e20.exe 86 PID 3796 wrote to memory of 4668 3796 a1c5f268d670ba3a4440647bdeaa3e20.exe 86 PID 3796 wrote to memory of 4668 3796 a1c5f268d670ba3a4440647bdeaa3e20.exe 86 PID 1524 wrote to memory of 4444 1524 rundll32.exe 88 PID 1524 wrote to memory of 4444 1524 rundll32.exe 88 PID 1524 wrote to memory of 4444 1524 rundll32.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1c5f268d670ba3a4440647bdeaa3e20.exe"C:\Users\Admin\AppData\Local\Temp\a1c5f268d670ba3a4440647bdeaa3e20.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Users\Admin\AppData\Local\Temp\a1c5f268d670ba3a4440647bdeaa3e20.exe"C:\Users\Admin\AppData\Local\Temp\a1c5f268d670ba3a4440647bdeaa3e20.exe" -h2⤵
- Suspicious use of SetWindowsHookEx
PID:4668
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open2⤵
- Loads dropped DLL
PID:4444 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 6003⤵
- Program crash
PID:388
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4444 -ip 44441⤵PID:404
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
557KB
MD554ac3dad9676bf56d6d5916d099b7859
SHA102a2b6459c451069a81aebaf1fa7753b663f4c6a
SHA256e0e68ac4dc7141316a94c076f2b503e104207bcc2746dfa9e0c64a17bc984a0a
SHA5127239359a7e22eb6a12ab370d52666fd67247d50dd52a58fffe2998ab16916088da7b15dd28c25bedc29f7ad4889f5e7a0f53cff94ea38843fc8060760d124c1d
-
Filesize
52KB
MD51b20e998d058e813dfc515867d31124f
SHA1c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f
SHA25624a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00
SHA51279849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6
-
Filesize
52KB
MD51b20e998d058e813dfc515867d31124f
SHA1c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f
SHA25624a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00
SHA51279849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6