Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
77s -
max time network
81s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
15/07/2023, 19:05
Static task
static1
Behavioral task
behavioral1
Sample
WinRAddRd.exe
Resource
win10v2004-20230703-en
General
-
Target
WinRAddRd.exe
-
Size
669KB
-
MD5
a5be759450ca107d0ae80a275b697c8a
-
SHA1
0896ddf9cc0d6ab5a3e94d1509e5883592485e87
-
SHA256
e7f4bae5fd7a15bd269b0460c395f9f3b0168a5012e47ceabd48748b5aec2411
-
SHA512
7f85c07c04c9dac7f14a4a15d248976bc755a63141bc20adc0da378608458c59ddf7300e651b3cf5adc523f08668887f1558d039028af31a6a59e723932597dc
-
SSDEEP
12288:jvJvdzf4U7b90FO9zafsx2zDK0e0HO0mI5jYxAuFHV2:DJVTjf90FO92fsiFe0HOgyxHb2
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation WinRAddRd.exe -
Executes dropped EXE 1 IoCs
pid Process 3228 WinRAddRd.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 5072 WinRAddRd.exe 5072 WinRAddRd.exe 3228 WinRAddRd.exe 3228 WinRAddRd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4800 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3292 timeout.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 5072 WinRAddRd.exe 5072 WinRAddRd.exe 5072 WinRAddRd.exe 5072 WinRAddRd.exe 5072 WinRAddRd.exe 5072 WinRAddRd.exe 5072 WinRAddRd.exe 5072 WinRAddRd.exe 5072 WinRAddRd.exe 5072 WinRAddRd.exe 5072 WinRAddRd.exe 5072 WinRAddRd.exe 5072 WinRAddRd.exe 5072 WinRAddRd.exe 5072 WinRAddRd.exe 5072 WinRAddRd.exe 5072 WinRAddRd.exe 5072 WinRAddRd.exe 5072 WinRAddRd.exe 5072 WinRAddRd.exe 5072 WinRAddRd.exe 5072 WinRAddRd.exe 5072 WinRAddRd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5072 WinRAddRd.exe Token: SeDebugPrivilege 3228 WinRAddRd.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 5072 wrote to memory of 1268 5072 WinRAddRd.exe 91 PID 5072 wrote to memory of 1268 5072 WinRAddRd.exe 91 PID 5072 wrote to memory of 1268 5072 WinRAddRd.exe 91 PID 5072 wrote to memory of 4704 5072 WinRAddRd.exe 93 PID 5072 wrote to memory of 4704 5072 WinRAddRd.exe 93 PID 5072 wrote to memory of 4704 5072 WinRAddRd.exe 93 PID 1268 wrote to memory of 4800 1268 cmd.exe 95 PID 1268 wrote to memory of 4800 1268 cmd.exe 95 PID 1268 wrote to memory of 4800 1268 cmd.exe 95 PID 4704 wrote to memory of 3292 4704 cmd.exe 96 PID 4704 wrote to memory of 3292 4704 cmd.exe 96 PID 4704 wrote to memory of 3292 4704 cmd.exe 96 PID 4704 wrote to memory of 3228 4704 cmd.exe 97 PID 4704 wrote to memory of 3228 4704 cmd.exe 97 PID 4704 wrote to memory of 3228 4704 cmd.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\WinRAddRd.exe"C:\Users\Admin\AppData\Local\Temp\WinRAddRd.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WinRAddRd" /tr '"C:\Users\Admin\AppData\Roaming\WinRAddRd.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "WinRAddRd" /tr '"C:\Users\Admin\AppData\Roaming\WinRAddRd.exe"'3⤵
- Creates scheduled task(s)
PID:4800
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAC1E.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:3292
-
-
C:\Users\Admin\AppData\Roaming\WinRAddRd.exe"C:\Users\Admin\AppData\Roaming\WinRAddRd.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3228
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD507967bd4c2a64c0682130e1ba7040bc6
SHA17526bfccff20563ad0b83df1efed65f6443af2bc
SHA2564989255ecb2159d09433043d875c3c28b74bd7de9f3589c6fe6b8ca3de5c2fe3
SHA512147c362e1c6e00b3ca3914fb88bb74b4ef8a60c2d6ed8ecb41d9babcdaa20e1ceabd32fa24697a5de9812e68f1480fb87b4ef6d5aad91adc3fce7b1d46bc3ab4
-
Filesize
153B
MD5fd004817795654265efe272a9bc58866
SHA11ae042cb55d9b6d3ef48a7feb5977652bc5f839e
SHA25643157cc4cce04360a68e6a4172b4b71df8d9c1e5b17e96f91480365d304b83cd
SHA512c387a29283c75f83a7600d09e89b4a6cb146224b8a19cc83be2d3cdb8c4c29454b9aa658851befac2a33f5a853de6700496d05fc264d7913deec669e930fb2f4
-
Filesize
669KB
MD5a5be759450ca107d0ae80a275b697c8a
SHA10896ddf9cc0d6ab5a3e94d1509e5883592485e87
SHA256e7f4bae5fd7a15bd269b0460c395f9f3b0168a5012e47ceabd48748b5aec2411
SHA5127f85c07c04c9dac7f14a4a15d248976bc755a63141bc20adc0da378608458c59ddf7300e651b3cf5adc523f08668887f1558d039028af31a6a59e723932597dc
-
Filesize
669KB
MD5a5be759450ca107d0ae80a275b697c8a
SHA10896ddf9cc0d6ab5a3e94d1509e5883592485e87
SHA256e7f4bae5fd7a15bd269b0460c395f9f3b0168a5012e47ceabd48748b5aec2411
SHA5127f85c07c04c9dac7f14a4a15d248976bc755a63141bc20adc0da378608458c59ddf7300e651b3cf5adc523f08668887f1558d039028af31a6a59e723932597dc