Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

10/11/2021, 14:50

211110-r7nbvaeddr 10

08/11/2021, 16:12

211108-tnmmbahgaj 10

08/11/2021, 15:26

211108-svdsbaccf6 10

08/11/2021, 14:48

211108-r6lfvshdfn 10

Analysis

  • max time kernel
    216s
  • max time network
    1724s
  • platform
    windows11_x64
  • resource
    win11
  • submitted
    08/11/2021, 16:12

General

  • Target

    e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe
    "C:\Users\Admin\AppData\Local\Temp\e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3924
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" sqlite.dll,global
      2⤵
      • Loads dropped DLL
      PID:2904
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 456
        3⤵
        • Program crash
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4036
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2904 -ip 2904
    1⤵
    • Suspicious use of NtCreateProcessExOtherParentProcess
    • Suspicious use of WriteProcessMemory
    PID:3388

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3924-146-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

    Filesize

    4KB

  • memory/3924-147-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

    Filesize

    4KB