Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2023, 15:41
Static task
static1
Behavioral task
behavioral1
Sample
e066fc71749b0a90749d3b8af5b53aa21bab9d43c63cddcb46c9b1f9ae5beb76.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
e066fc71749b0a90749d3b8af5b53aa21bab9d43c63cddcb46c9b1f9ae5beb76.exe
Resource
win10v2004-20230221-en
General
-
Target
e066fc71749b0a90749d3b8af5b53aa21bab9d43c63cddcb46c9b1f9ae5beb76.exe
-
Size
251KB
-
MD5
e25796ad27eb0153d8662e37d05ec56b
-
SHA1
47e308112a5b98f8b2d286bb09c4559b6021b3bc
-
SHA256
e066fc71749b0a90749d3b8af5b53aa21bab9d43c63cddcb46c9b1f9ae5beb76
-
SHA512
a425eb1df23630def72f07d528ad157b57d0291713e8969f590f5969688e559e9c2a37b2abf78c4ec650ea8d8edaa398d60ad26323c6679b8c7d30cb44ff210c
-
SSDEEP
6144:DYa6T344OhBM8I5Tq7kDaFqPocnRppmMgDN0h0wx/:DYRuhBz4anOa03/
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation mgcah.exe -
Executes dropped EXE 2 IoCs
pid Process 1988 mgcah.exe 1300 mgcah.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1988 set thread context of 1300 1988 mgcah.exe 85 PID 1300 set thread context of 3148 1300 mgcah.exe 25 PID 4184 set thread context of 3148 4184 msdt.exe 25 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4552 3088 WerFault.exe 91 -
description ioc Process Key created \Registry\User\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msdt.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 1300 mgcah.exe 1300 mgcah.exe 1300 mgcah.exe 1300 mgcah.exe 1300 mgcah.exe 1300 mgcah.exe 1300 mgcah.exe 1300 mgcah.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3148 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
pid Process 1988 mgcah.exe 1300 mgcah.exe 1300 mgcah.exe 1300 mgcah.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe 4184 msdt.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1300 mgcah.exe Token: SeDebugPrivilege 4184 msdt.exe Token: SeShutdownPrivilege 3148 Explorer.EXE Token: SeCreatePagefilePrivilege 3148 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1212 wrote to memory of 1988 1212 e066fc71749b0a90749d3b8af5b53aa21bab9d43c63cddcb46c9b1f9ae5beb76.exe 84 PID 1212 wrote to memory of 1988 1212 e066fc71749b0a90749d3b8af5b53aa21bab9d43c63cddcb46c9b1f9ae5beb76.exe 84 PID 1212 wrote to memory of 1988 1212 e066fc71749b0a90749d3b8af5b53aa21bab9d43c63cddcb46c9b1f9ae5beb76.exe 84 PID 1988 wrote to memory of 1300 1988 mgcah.exe 85 PID 1988 wrote to memory of 1300 1988 mgcah.exe 85 PID 1988 wrote to memory of 1300 1988 mgcah.exe 85 PID 1988 wrote to memory of 1300 1988 mgcah.exe 85 PID 3148 wrote to memory of 4184 3148 Explorer.EXE 86 PID 3148 wrote to memory of 4184 3148 Explorer.EXE 86 PID 3148 wrote to memory of 4184 3148 Explorer.EXE 86 PID 4184 wrote to memory of 3088 4184 msdt.exe 91 PID 4184 wrote to memory of 3088 4184 msdt.exe 91 PID 4184 wrote to memory of 3088 4184 msdt.exe 91
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Users\Admin\AppData\Local\Temp\e066fc71749b0a90749d3b8af5b53aa21bab9d43c63cddcb46c9b1f9ae5beb76.exe"C:\Users\Admin\AppData\Local\Temp\e066fc71749b0a90749d3b8af5b53aa21bab9d43c63cddcb46c9b1f9ae5beb76.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\mgcah.exe"C:\Users\Admin\AppData\Local\Temp\mgcah.exe" C:\Users\Admin\AppData\Local\Temp\nmlbeworo.wp3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Users\Admin\AppData\Local\Temp\mgcah.exe"C:\Users\Admin\AppData\Local\Temp\mgcah.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1300
-
-
-
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:3088
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3088 -s 1284⤵
- Program crash
PID:4552
-
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 476 -p 3088 -ip 30881⤵PID:3328
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD524b418a08bfce8a6faaf67543794a280
SHA1f4474f8b1e37748be7be9053d5bab23eb2bc801a
SHA256c49828c2c6fdbbe1c29221893d31e95cbb75210390259a884f1beb8c2898fd76
SHA512229985bdbcd3dcd411badaec590073754ecd8ff78cc228098c64a1f93979df5f8d42bbc5ab32084a6bde64991a83d9d35f9afd98630a08546b8b89243d25bee3
-
Filesize
7KB
MD524b418a08bfce8a6faaf67543794a280
SHA1f4474f8b1e37748be7be9053d5bab23eb2bc801a
SHA256c49828c2c6fdbbe1c29221893d31e95cbb75210390259a884f1beb8c2898fd76
SHA512229985bdbcd3dcd411badaec590073754ecd8ff78cc228098c64a1f93979df5f8d42bbc5ab32084a6bde64991a83d9d35f9afd98630a08546b8b89243d25bee3
-
Filesize
7KB
MD524b418a08bfce8a6faaf67543794a280
SHA1f4474f8b1e37748be7be9053d5bab23eb2bc801a
SHA256c49828c2c6fdbbe1c29221893d31e95cbb75210390259a884f1beb8c2898fd76
SHA512229985bdbcd3dcd411badaec590073754ecd8ff78cc228098c64a1f93979df5f8d42bbc5ab32084a6bde64991a83d9d35f9afd98630a08546b8b89243d25bee3
-
Filesize
5KB
MD50d21fef0892b0f6420ca2e779eea172a
SHA166f233ff2b691ca9f59f94866902f0000f2e9518
SHA256df151fce86ca5123f99488c0575d691b004149e167a3cf181ddfa6e0834b6c79
SHA5126992aaccd778be88fae0ddd69783b74a6997871f04aa1fc420cf670b95107579e9863cc8380b8a440ce141cad3f8fb678c4646346ff5816ab4c988cee464e7dd
-
Filesize
205KB
MD5936f56b919389031bd5d638c9bad07ca
SHA1ab88090f736103d535484be8727fe0fac2c52e08
SHA2568f7ea36e02e2cf059b3c58dac801ce27f58a7d449569f795694aff273438a89c
SHA512fb897b9475ab16d5d5a492b932d8c01ab61466bfa49d83ba4531e424f6c5fd907e857878186415d3dad66a6e50f45b773ab479be23ff7901ebb779343145abaf