Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2023, 12:37
Static task
static1
Behavioral task
behavioral1
Sample
3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb.exe
Resource
win10v2004-20230220-en
General
-
Target
3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb.exe
-
Size
449KB
-
MD5
010510fa1699192fcf419d8d0979d326
-
SHA1
90e52323fbe695e19b12eb19abadd54140bc8bfa
-
SHA256
3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb
-
SHA512
163f2ea50a79ece7d380d0d34224caab011ea7e6ee4900e184db602feb1f6119abc0478e5a2c5ab73ca8a02ac555f8103787dcad38050ec1b1e60d4acaa979e7
-
SSDEEP
6144:2Ya6r7pbu7cahyvQjwEPM9lKH9bZey354wS/yPulz75aWWvSZf:2YnQVhy7uMSdbZey3if/y2t9aLw
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation spfxemttfw.exe -
Executes dropped EXE 2 IoCs
pid Process 4720 spfxemttfw.exe 4408 spfxemttfw.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4720 set thread context of 4408 4720 spfxemttfw.exe 86 PID 4408 set thread context of 3140 4408 spfxemttfw.exe 18 PID 2644 set thread context of 3140 2644 help.exe 18 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \Registry\User\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 help.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4408 spfxemttfw.exe 4408 spfxemttfw.exe 4408 spfxemttfw.exe 4408 spfxemttfw.exe 4408 spfxemttfw.exe 4408 spfxemttfw.exe 4408 spfxemttfw.exe 4408 spfxemttfw.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3140 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
pid Process 4720 spfxemttfw.exe 4408 spfxemttfw.exe 4408 spfxemttfw.exe 4408 spfxemttfw.exe 2644 help.exe 2644 help.exe 2644 help.exe 2644 help.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4408 spfxemttfw.exe Token: SeDebugPrivilege 2644 help.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3140 Explorer.EXE 3140 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1336 wrote to memory of 4720 1336 3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb.exe 85 PID 1336 wrote to memory of 4720 1336 3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb.exe 85 PID 1336 wrote to memory of 4720 1336 3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb.exe 85 PID 4720 wrote to memory of 4408 4720 spfxemttfw.exe 86 PID 4720 wrote to memory of 4408 4720 spfxemttfw.exe 86 PID 4720 wrote to memory of 4408 4720 spfxemttfw.exe 86 PID 4720 wrote to memory of 4408 4720 spfxemttfw.exe 86 PID 3140 wrote to memory of 2644 3140 Explorer.EXE 87 PID 3140 wrote to memory of 2644 3140 Explorer.EXE 87 PID 3140 wrote to memory of 2644 3140 Explorer.EXE 87 PID 2644 wrote to memory of 1208 2644 help.exe 94 PID 2644 wrote to memory of 1208 2644 help.exe 94 PID 2644 wrote to memory of 1208 2644 help.exe 94
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Users\Admin\AppData\Local\Temp\3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb.exe"C:\Users\Admin\AppData\Local\Temp\3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\spfxemttfw.exe"C:\Users\Admin\AppData\Local\Temp\spfxemttfw.exe" C:\Users\Admin\AppData\Local\Temp\xzrym.t3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Users\Admin\AppData\Local\Temp\spfxemttfw.exe"C:\Users\Admin\AppData\Local\Temp\spfxemttfw.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4408
-
-
-
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1208
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
205KB
MD5bedab9ae8e5cdc69d5cb83a001694e04
SHA172704a6f4251f8fd48ebe7bc61211e305d0f6cbf
SHA2567ca8d817d6c32cefa8872e1d31ec84694440a301f5d1330217c5569774e6dc92
SHA51264159a0fcc2ec5d1ed221ac5a3458fccd8d9cbfcbd6854987775a74eecc759e5a75333a04a324f86991ac6b5e7b7d387952d98e59e8fde05c5cbf50dedc6794a
-
Filesize
52KB
MD58c5a224a012ceed51a7331f83ceff97f
SHA1f98b7e03786d64a0df2837a0a9c189ddae2602e5
SHA256c1cda8b5d7ad7b6bf0fb72ed5e81eba949d3ac9564fe5f58c5d3cc624c21c62d
SHA5124873094ef7f351d119bb87058dd68a662d564aca83472102a973bab5e1d42ee494c14464ad783369e583ad6bdef41486fd745b741c3b78907ea30d1313a2abe2
-
Filesize
52KB
MD58c5a224a012ceed51a7331f83ceff97f
SHA1f98b7e03786d64a0df2837a0a9c189ddae2602e5
SHA256c1cda8b5d7ad7b6bf0fb72ed5e81eba949d3ac9564fe5f58c5d3cc624c21c62d
SHA5124873094ef7f351d119bb87058dd68a662d564aca83472102a973bab5e1d42ee494c14464ad783369e583ad6bdef41486fd745b741c3b78907ea30d1313a2abe2
-
Filesize
52KB
MD58c5a224a012ceed51a7331f83ceff97f
SHA1f98b7e03786d64a0df2837a0a9c189ddae2602e5
SHA256c1cda8b5d7ad7b6bf0fb72ed5e81eba949d3ac9564fe5f58c5d3cc624c21c62d
SHA5124873094ef7f351d119bb87058dd68a662d564aca83472102a973bab5e1d42ee494c14464ad783369e583ad6bdef41486fd745b741c3b78907ea30d1313a2abe2
-
Filesize
5KB
MD583fdbf1ffe575a7636e3686d4a09a5dd
SHA175b33c714338f4205af1ff99dfa81448d1121e39
SHA2561764c92545c4e0ce4584b6b507eff208e466398e29bb17b12371b1934617ffc1
SHA512eca6efe2b7b40ef1266a93d25b56bbdf6b71024d719c2ae0f6a59248af50be901139566916df601e60909e07437dbcca157036a5398a385257654db106753b7a