Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
27s -
max time network
29s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
06/01/2022, 12:29
Static task
static1
Behavioral task
behavioral1
Sample
update.exe
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
update.exe
Resource
win10-en-20211208
0 signatures
0 seconds
General
-
Target
update.exe
-
Size
5.7MB
-
MD5
9608c8b6c8d80fdc67b99edd3c53d3d2
-
SHA1
37b11d3d7b7a1d18daafd6c63b33526860aaefe6
-
SHA256
8c1a72991fb04dc3a8cf89605fb85150ef0e742472a0c58b8fa942a1f04877b0
-
SHA512
4c98ff99686f2b54648c0926fbc1e92522520b11d1447a0fdf2aa11e25de2c109a0e55ae8f736404a3feed7288cb257cd57812ecdaeae41051a6ec3a0f6bfa15
Score
8/10
Malware Config
Signatures
-
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\ResolveUnregister.crw => C:\Users\Admin\Pictures\ResolveUnregister.crw.nightsky update.exe File opened for modification C:\Users\Admin\Pictures\ResolveUnregister.crw.nightsky update.exe File opened for modification C:\Users\Admin\Pictures\UndoSend.png.nightsky update.exe File renamed C:\Users\Admin\Pictures\AssertUnregister.png => C:\Users\Admin\Pictures\AssertUnregister.png.nightsky update.exe File opened for modification C:\Users\Admin\Pictures\AssertUnregister.png.nightsky update.exe File renamed C:\Users\Admin\Pictures\ConvertToStep.png => C:\Users\Admin\Pictures\ConvertToStep.png.nightsky update.exe File opened for modification C:\Users\Admin\Pictures\CopyEdit.tif.nightsky update.exe File opened for modification C:\Users\Admin\Pictures\CopyGet.tif.nightsky update.exe File renamed C:\Users\Admin\Pictures\CopyEdit.tif => C:\Users\Admin\Pictures\CopyEdit.tif.nightsky update.exe File opened for modification C:\Users\Admin\Pictures\ConvertToStep.png.nightsky update.exe File renamed C:\Users\Admin\Pictures\CopyGet.tif => C:\Users\Admin\Pictures\CopyGet.tif.nightsky update.exe File renamed C:\Users\Admin\Pictures\UndoSend.png => C:\Users\Admin\Pictures\UndoSend.png.nightsky update.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2480 update.exe 2480 update.exe