Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
19/03/2023, 15:36
Static task
static1
Behavioral task
behavioral1
Sample
99f16ab6ab670935b5aa5c84b1b5f6bd.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
99f16ab6ab670935b5aa5c84b1b5f6bd.exe
Resource
win10v2004-20230220-en
General
-
Target
99f16ab6ab670935b5aa5c84b1b5f6bd.exe
-
Size
7.3MB
-
MD5
99f16ab6ab670935b5aa5c84b1b5f6bd
-
SHA1
59f375481cdfe246d1ddcaada9941e16dcfda297
-
SHA256
348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057
-
SHA512
845e76e29adb6b7890a3a5c508e27b9731e9872bc791eeefb146b23e0e737280d19e4df1203b719f8e168a8c8a0d8ae1b4bf670da5d264bde1eece8663624d70
-
SSDEEP
196608:Ltu5ODXM16mjmKSRFWuxx6ruj3nK/x9jWuy:L05ODcgR6mix1
Malware Config
Extracted
laplas
http://185.106.92.104
-
api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation 99f16ab6ab670935b5aa5c84b1b5f6bd.exe -
Executes dropped EXE 1 IoCs
pid Process 1740 svcservice.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe" 99f16ab6ab670935b5aa5c84b1b5f6bd.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 540 99f16ab6ab670935b5aa5c84b1b5f6bd.exe 540 99f16ab6ab670935b5aa5c84b1b5f6bd.exe 1740 svcservice.exe 1740 svcservice.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 540 99f16ab6ab670935b5aa5c84b1b5f6bd.exe 540 99f16ab6ab670935b5aa5c84b1b5f6bd.exe 1740 svcservice.exe 1740 svcservice.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 540 wrote to memory of 1740 540 99f16ab6ab670935b5aa5c84b1b5f6bd.exe 89 PID 540 wrote to memory of 1740 540 99f16ab6ab670935b5aa5c84b1b5f6bd.exe 89 PID 540 wrote to memory of 1740 540 99f16ab6ab670935b5aa5c84b1b5f6bd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\99f16ab6ab670935b5aa5c84b1b5f6bd.exe"C:\Users\Admin\AppData\Local\Temp\99f16ab6ab670935b5aa5c84b1b5f6bd.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1740
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
733.3MB
MD51f534eac78be1b83d9bb3af8e752842b
SHA1fefcaeb6739d7bb71e77beb03b4540407b1cc50e
SHA25683f838c581cdbb48a15a5c2cea94d65132dc9c858352438b23dc94972a3e6371
SHA5122046863f8719fd6ab203c5e97e764dcbe933d16b7e7d79ca4f364cdc7c9c4ae37b9c2bfbbce3655903a8e0b87b498eed033cfd96664d20fa1806e2e2852e1043
-
Filesize
733.3MB
MD51f534eac78be1b83d9bb3af8e752842b
SHA1fefcaeb6739d7bb71e77beb03b4540407b1cc50e
SHA25683f838c581cdbb48a15a5c2cea94d65132dc9c858352438b23dc94972a3e6371
SHA5122046863f8719fd6ab203c5e97e764dcbe933d16b7e7d79ca4f364cdc7c9c4ae37b9c2bfbbce3655903a8e0b87b498eed033cfd96664d20fa1806e2e2852e1043
-
Filesize
733.3MB
MD51f534eac78be1b83d9bb3af8e752842b
SHA1fefcaeb6739d7bb71e77beb03b4540407b1cc50e
SHA25683f838c581cdbb48a15a5c2cea94d65132dc9c858352438b23dc94972a3e6371
SHA5122046863f8719fd6ab203c5e97e764dcbe933d16b7e7d79ca4f364cdc7c9c4ae37b9c2bfbbce3655903a8e0b87b498eed033cfd96664d20fa1806e2e2852e1043