Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
261s -
max time network
265s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
17/03/2023, 06:31
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20230221-en
General
-
Target
tmp.exe
-
Size
4.3MB
-
MD5
36eed7c142e558ed187afea4f6c949c3
-
SHA1
907d03e167621f5685ad8aae482faebf9cffdd7b
-
SHA256
62a9a4a09e83bc1ba11bfd726f28324236ca3ec638c7cc46c39aff3ca8f2d9a2
-
SHA512
bf4916e9a532606e2520bbc24dea60ef496f84891974fcb1b3b469d23deae6563b6fb30291fd67ac3f18bcaea5e14680e195f9310550d0a8ce8b66d0cd448102
-
SSDEEP
98304:I6/sYnlE/5X3BsTpdKl1aDeL2QeLPb/K+EH/:4sWRHGe1GJVPTOH/
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 1260 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1260 rundll32.exe 1260 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 4308 powershell.exe 1260 rundll32.exe 1260 rundll32.exe 4308 powershell.exe 1548 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4308 powershell.exe Token: SeDebugPrivilege 1548 dllhost.exe Token: SeIncreaseQuotaPrivilege 1548 dllhost.exe Token: SeSecurityPrivilege 1548 dllhost.exe Token: SeTakeOwnershipPrivilege 1548 dllhost.exe Token: SeLoadDriverPrivilege 1548 dllhost.exe Token: SeSystemProfilePrivilege 1548 dllhost.exe Token: SeSystemtimePrivilege 1548 dllhost.exe Token: SeProfSingleProcessPrivilege 1548 dllhost.exe Token: SeIncBasePriorityPrivilege 1548 dllhost.exe Token: SeCreatePagefilePrivilege 1548 dllhost.exe Token: SeBackupPrivilege 1548 dllhost.exe Token: SeRestorePrivilege 1548 dllhost.exe Token: SeShutdownPrivilege 1548 dllhost.exe Token: SeDebugPrivilege 1548 dllhost.exe Token: SeSystemEnvironmentPrivilege 1548 dllhost.exe Token: SeRemoteShutdownPrivilege 1548 dllhost.exe Token: SeUndockPrivilege 1548 dllhost.exe Token: SeManageVolumePrivilege 1548 dllhost.exe Token: 33 1548 dllhost.exe Token: 34 1548 dllhost.exe Token: 35 1548 dllhost.exe Token: 36 1548 dllhost.exe Token: SeIncreaseQuotaPrivilege 1548 dllhost.exe Token: SeSecurityPrivilege 1548 dllhost.exe Token: SeTakeOwnershipPrivilege 1548 dllhost.exe Token: SeLoadDriverPrivilege 1548 dllhost.exe Token: SeSystemProfilePrivilege 1548 dllhost.exe Token: SeSystemtimePrivilege 1548 dllhost.exe Token: SeProfSingleProcessPrivilege 1548 dllhost.exe Token: SeIncBasePriorityPrivilege 1548 dllhost.exe Token: SeCreatePagefilePrivilege 1548 dllhost.exe Token: SeBackupPrivilege 1548 dllhost.exe Token: SeRestorePrivilege 1548 dllhost.exe Token: SeShutdownPrivilege 1548 dllhost.exe Token: SeDebugPrivilege 1548 dllhost.exe Token: SeSystemEnvironmentPrivilege 1548 dllhost.exe Token: SeRemoteShutdownPrivilege 1548 dllhost.exe Token: SeUndockPrivilege 1548 dllhost.exe Token: SeManageVolumePrivilege 1548 dllhost.exe Token: 33 1548 dllhost.exe Token: 34 1548 dllhost.exe Token: 35 1548 dllhost.exe Token: 36 1548 dllhost.exe Token: SeIncreaseQuotaPrivilege 1548 dllhost.exe Token: SeSecurityPrivilege 1548 dllhost.exe Token: SeTakeOwnershipPrivilege 1548 dllhost.exe Token: SeLoadDriverPrivilege 1548 dllhost.exe Token: SeSystemProfilePrivilege 1548 dllhost.exe Token: SeSystemtimePrivilege 1548 dllhost.exe Token: SeProfSingleProcessPrivilege 1548 dllhost.exe Token: SeIncBasePriorityPrivilege 1548 dllhost.exe Token: SeCreatePagefilePrivilege 1548 dllhost.exe Token: SeBackupPrivilege 1548 dllhost.exe Token: SeRestorePrivilege 1548 dllhost.exe Token: SeShutdownPrivilege 1548 dllhost.exe Token: SeDebugPrivilege 1548 dllhost.exe Token: SeSystemEnvironmentPrivilege 1548 dllhost.exe Token: SeRemoteShutdownPrivilege 1548 dllhost.exe Token: SeUndockPrivilege 1548 dllhost.exe Token: SeManageVolumePrivilege 1548 dllhost.exe Token: 33 1548 dllhost.exe Token: 34 1548 dllhost.exe Token: 35 1548 dllhost.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4940 wrote to memory of 1260 4940 tmp.exe 85 PID 4940 wrote to memory of 1260 4940 tmp.exe 85 PID 4940 wrote to memory of 1260 4940 tmp.exe 85 PID 4940 wrote to memory of 1260 4940 tmp.exe 85 PID 4940 wrote to memory of 1260 4940 tmp.exe 85 PID 4940 wrote to memory of 4308 4940 tmp.exe 86 PID 4940 wrote to memory of 4308 4940 tmp.exe 86 PID 4940 wrote to memory of 4308 4940 tmp.exe 86 PID 4940 wrote to memory of 4308 4940 tmp.exe 86 PID 4940 wrote to memory of 4308 4940 tmp.exe 86 PID 1260 wrote to memory of 1548 1260 rundll32.exe 88 PID 1260 wrote to memory of 1548 1260 rundll32.exe 88 PID 1260 wrote to memory of 1548 1260 rundll32.exe 88 PID 1260 wrote to memory of 1548 1260 rundll32.exe 88 PID 1260 wrote to memory of 1548 1260 rundll32.exe 88 PID 1260 wrote to memory of 1548 1260 rundll32.exe 88 PID 1260 wrote to memory of 1548 1260 rundll32.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" cache.tmp,cleanup2⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\System32\dllhost.exedllhost.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Remove-Item 'C:\Users\Admin\AppData\Local\Temp\tmp.exe' -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4308
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD595b30b4831f432124e970713da9485ad
SHA1f94da006bcb480ecfaf9043dd52b5650a906dc06
SHA2569e489490152484dc08fdaeb35b66b48d11e78bc294c8ad0c8bde1cb8101493f6
SHA512cb3ea06f9ed7360bc865541aeb8d2d6dbd3c7618bddf298b5c67caa891145317a617efb71a2235581dedba64bc2c351e185bf8866dec98d3707aed0849f32b0d