Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

adc9137cf2...b1.exe

windows7_x64

10

adc9137cf2...b1.exe

windows10_x64

10

Analysis

  • max time kernel
    22s
  • max time network
    119s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    19/06/2021, 03:16 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe

  • Size

    1.4MB

  • MD5

    4fa5fd0b35ba44e25b87747c1ba710f6

  • SHA1

    dcbcb67d4723312f274627a2a22861f759d032a1

  • SHA256

    adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1

  • SHA512

    d0f87394722e6f842e74a117f77e4cb579418bec18ece2efbd6feb4bee6facb0bb69d2153fb6c70b4584b389eee77f15c0f561f21b26e08c421fe727b56b7d13

Score
10/10
dmalockerhawkeyelockylocky_osiriswannacrydiscoverykeyloggerpersistenceransomwarespywarestealertrojanworm

Malware Config

Signatures

  • DMA Locker

    Ransomware family with some advanced features, like encryption of unmapped network shares.

    ransomwaredmalocker
  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Locky (Osiris variant)

    Variant of the Locky ransomware seen in the wild since early 2017.

    ransomwarelocky_osiris
  • Modifies system executable filetype association 2 TTPs 8 IoCs
    persistence
  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Drivers directory 19 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Drops startup file 64 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops autorun.inf file 1 TTPs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 23 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies registry class 53 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe
    "C:\Users\Admin\AppData\Local\Temp\adc9137cf2906e36ac9e6bbeff3faed0219bbde512064b6251b62cfe37812cb1.exe"
    1⤵
    • Modifies system executable filetype association
    • Adds policy Run key to start application
    • Drops file in Drivers directory
    • Drops startup file
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:636
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\com2.{62D8ED13-C9D0-4CE8-A914-47DD628FB1B0}\*.*" /a /q"
      2⤵
        PID:2416
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\com2.{62D8ED13-C9D0-4CE8-A914-47DD628FB1B0}""
        2⤵
          PID:2208
        • C:\Windows\SYSTEM32\cmd.exe
          cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\com4.{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}\*.*" /a /q"
          2⤵
            PID:3788
          • C:\Windows\SYSTEM32\cmd.exe
            cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\com4.{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}""
            2⤵
              PID:3612
            • C:\Windows\SYSTEM32\cmd.exe
              cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}""
              2⤵
                PID:3264
              • C:\Windows\SYSTEM32\cmd.exe
                cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\*.*" /a /q"
                2⤵
                  PID:1156
                • C:\Windows\SYSTEM32\cmd.exe
                  cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}""
                  2⤵
                    PID:3240
                  • C:\Windows\SYSTEM32\cmd.exe
                    cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\lpt3.{1D2680C9-0E2A-469d-B787-065558BC7D43}\*.*" /a /q"
                    2⤵
                      PID:672
                    • C:\Windows\SYSTEM32\cmd.exe
                      cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}\*.*" /a /q"
                      2⤵
                        PID:3148
                      • C:\Windows\SYSTEM32\cmd.exe
                        cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\lpt6.{17cd9488-1228-4b2f-88ce-4298e93e0966}""
                        2⤵
                          PID:1736
                        • C:\Windows\SYSTEM32\cmd.exe
                          cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\lpt7.{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}\*.*" /a /q"
                          2⤵
                            PID:3952
                          • C:\Windows\SYSTEM32\cmd.exe
                            cmd /c "del "\\.\C:\WINDOWS\FONTS\COM4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}\*.*" /a /q"
                            2⤵
                              PID:184
                            • C:\Windows\SYSTEM32\cmd.exe
                              cmd /c "rd "\\.\C:\WINDOWS\FONTS\COM4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}""
                              2⤵
                                PID:3172
                              • C:\Windows\SYSTEM32\cmd.exe
                                cmd /c "del \\.\C:\con.sys\*.* /a /q"
                                2⤵
                                  PID:3084
                                • C:\Windows\SYSTEM32\cmd.exe
                                  cmd /c "del \\.\C:\con.ini\*.* /a /q"
                                  2⤵
                                    PID:1276
                                  • C:\Windows\SYSTEM32\cmd.exe
                                    cmd /c "rd \\.\C:\con.ini"
                                    2⤵
                                      PID:4140
                                    • C:\Windows\SYSTEM32\cmd.exe
                                      cmd /c "del \\.\C:\con.usb\*.* /a /q"
                                      2⤵
                                        PID:4184
                                      • C:\Windows\SYSTEM32\cmd.exe
                                        cmd /c "rd \\.\C:\con.sys"
                                        2⤵
                                          PID:732
                                        • C:\Windows\SYSTEM32\cmd.exe
                                          cmd /c "rd \\.\C:\con.usb"
                                          2⤵
                                            PID:4216
                                          • C:\Windows\SYSTEM32\cmd.exe
                                            cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\lpt7.{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}""
                                            2⤵
                                              PID:1164
                                            • C:\Windows\SYSTEM32\cmd.exe
                                              cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\lpt6.{17cd9488-1228-4b2f-88ce-4298e93e0966}\*.*" /a /q"
                                              2⤵
                                                PID:580
                                              • C:\Windows\SYSTEM32\cmd.exe
                                                cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\lpt3.{1D2680C9-0E2A-469d-B787-065558BC7D43}""
                                                2⤵
                                                  PID:2608

                                              Network

                                              MITRE ATT&CK Enterprise v6

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              We care about your privacy.

                                              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.