Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

30/06/2024, 00:43

240630-a225da1apg 9

30/06/2024, 00:40

240630-az78ls1alc 9

Analysis

  • max time kernel
    1795s
  • max time network
    1799s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/06/2024, 00:43

General

  • Target

    a62c2d7ccf33edfced2f449ecbc4e861c97870f66346eccc3ac3d8fb81db347a.exe

  • Size

    79KB

  • MD5

    725e65aa9cb9f4e2e7e85f6893cd189f

  • SHA1

    b785900d47cae459aace67417c7b2df977c012f0

  • SHA256

    a62c2d7ccf33edfced2f449ecbc4e861c97870f66346eccc3ac3d8fb81db347a

  • SHA512

    7adddd2f38483ebf77d0cfd2967a02ebd2eaf6a7add751c6d5423034139f6d75b05d6a46b0bd3e36072882e4d7ad973612c2f2c610a16ce85515172bfa90f31b

  • SSDEEP

    768:W7BlpDpARFbhYQkQjjIXYvPXzWPXzK3733uF4V7en5c5HChCrmhYCDPdICDPdoQc:W7ZDpApYbWjIoPyPoLzV7c6Sh1dldoQc

Malware Config

Signatures

  • Renames multiple (20477) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Drivers directory 27 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a62c2d7ccf33edfced2f449ecbc4e861c97870f66346eccc3ac3d8fb81db347a.exe
    "C:\Users\Admin\AppData\Local\Temp\a62c2d7ccf33edfced2f449ecbc4e861c97870f66346eccc3ac3d8fb81db347a.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Drops startup file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4284
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\A62C2D~1.EXE > nul
      2⤵
        PID:2000
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4532,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4196 /prefetch:8
      1⤵
        PID:552
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3972,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=1692 /prefetch:8
        1⤵
          PID:4004

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-1181767204-2009306918-3718769404-1000\desktop.ini.tmp

          Filesize

          80KB

          MD5

          89313542e03e32f2d244c76aa4189226

          SHA1

          d49f92a7265df89f89a197b36d127394be3f1272

          SHA256

          422a9b2d0f9f6be053735a866db027fcad89a2602390ce8a99488611e25981ab

          SHA512

          e87ca65cb1fbe0c45e4b58f30d8bed470f90326e5dee2ab8e443029624cf52abbdc92a52d51446cb3e4e71357312b96a494fc9b3ddb9d4bc448229d2635999c6

        • C:\Program Files\7-Zip\7-zip.chm.tmp

          Filesize

          192KB

          MD5

          03eb814f96ea633c6218f9501caf865e

          SHA1

          82cc63a6ddb91cd0d7972618505540cf880b44c7

          SHA256

          8d32e6f313a452194affe628fff7a347381e8245e9c9f5ef8d73d666f9629f41

          SHA512

          a549c16c888f10bf6f9dde34563c20d8fac0be9f1c034f8b57842b67fb498d4917a3eea0c09de94e645234f989deae8f5489a1088d7ba52eaccc55332d888e8e