49fd52a3f3d1d46dc065217e588d1d29fba4d978cd8fdb2887fd603320540f71 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

49fd52a3f3...71.exe

windows7_x64

8

49fd52a3f3...71.exe

windows10_x64

9

Sharing

General

Target

49fd52a3f3d1d46dc065217e588d1d29fba4d978cd8fdb2887fd603320540f71.exe
Size

137KB
Sample

210517-gqqnal5n7j
MD5

9aa3cc9d7c641ea22cfa3e5233e13c94
SHA1

1970f6c17567d56c3e7840fe33a6959dd887fca2
SHA256

49fd52a3f3d1d46dc065217e588d1d29fba4d978cd8fdb2887fd603320540f71
SHA512

ef87881534199c3eac630883701b86ac21e6143a61b2224c39421b23bf5d9a59b8b1b868becf8632582451d709be46c944359bbd132b75ec9591a5382b098e0c

Score

9^/10

evasion persistence ransomware spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

49fd52a3f3d1d46dc065217e588d1d29fba4d978cd8fdb2887fd603320540f71.exe

Resource

win7v20210408

persistence spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

49fd52a3f3d1d46dc065217e588d1d29fba4d978cd8fdb2887fd603320540f71.exe

Resource

win10v20210410

evasion persistence ransomware spyware stealer

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  49fd52a3f3d1d46dc065217e588d1d29fba4d978cd8fdb2887fd603320540f71.exe
- Size
  
  137KB
- MD5
  
  9aa3cc9d7c641ea22cfa3e5233e13c94
- SHA1
  
  1970f6c17567d56c3e7840fe33a6959dd887fca2
- SHA256
  
  49fd52a3f3d1d46dc065217e588d1d29fba4d978cd8fdb2887fd603320540f71
- SHA512
  
  ef87881534199c3eac630883701b86ac21e6143a61b2224c39421b23bf5d9a59b8b1b868becf8632582451d709be46c944359bbd132b75ec9591a5382b098e0c
Score

9^/10

persistence spyware stealer evasion ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Executes dropped EXE
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Credentials in Files

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Defacement

Inhibit System Recovery

Tasks

static1

behavioral1

persistencespywarestealer

behavioral2

evasionpersistenceransomwarespywarestealer

© 2018-2025

Terms | Privacy