Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
241s -
max time network
280s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
19/02/2022, 16:59
Static task
static1
Behavioral task
behavioral1
Sample
ccd56bca846828d16b951b099f55ae7c.exe
Resource
win7-en-20211208
0 signatures
0 seconds
General
-
Target
ccd56bca846828d16b951b099f55ae7c.exe
-
Size
117.7MB
-
MD5
ccd56bca846828d16b951b099f55ae7c
-
SHA1
37641c823fc68d6e22542107a58c28247763c12a
-
SHA256
4c88894f3db3123130bf766ea024aa8baba4e9e1bd36d6509f61477e9e9bd345
-
SHA512
25395603082a94fc29c8272ee1e6abb1a602b3a81080aa2012b65623b0b46e174bc984dd3484b80d56ae770943ee41c76762c060ca93234eefd9fa24f01f843c
Malware Config
Signatures
-
Babadeda Crypter 1 IoCs
resource yara_rule behavioral1/memory/452-120-0x0000000003E90000-0x0000000008F90000-memory.dmp family_babadeda -
Executes dropped EXE 1 IoCs
pid Process 452 iisexpress.exe -
Loads dropped DLL 64 IoCs
pid Process 1728 ccd56bca846828d16b951b099f55ae7c.exe 1728 ccd56bca846828d16b951b099f55ae7c.exe 1728 ccd56bca846828d16b951b099f55ae7c.exe 1728 ccd56bca846828d16b951b099f55ae7c.exe 1728 ccd56bca846828d16b951b099f55ae7c.exe 1728 ccd56bca846828d16b951b099f55ae7c.exe 1728 ccd56bca846828d16b951b099f55ae7c.exe 1728 ccd56bca846828d16b951b099f55ae7c.exe 1728 ccd56bca846828d16b951b099f55ae7c.exe 1728 ccd56bca846828d16b951b099f55ae7c.exe 1728 ccd56bca846828d16b951b099f55ae7c.exe 1728 ccd56bca846828d16b951b099f55ae7c.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe 452 iisexpress.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ccd56bca846828d16b951b099f55ae7c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier ccd56bca846828d16b951b099f55ae7c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ccd56bca846828d16b951b099f55ae7c.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ccd56bca846828d16b951b099f55ae7c.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1728 ccd56bca846828d16b951b099f55ae7c.exe 1728 ccd56bca846828d16b951b099f55ae7c.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 452 iisexpress.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1728 wrote to memory of 452 1728 ccd56bca846828d16b951b099f55ae7c.exe 29 PID 1728 wrote to memory of 452 1728 ccd56bca846828d16b951b099f55ae7c.exe 29 PID 1728 wrote to memory of 452 1728 ccd56bca846828d16b951b099f55ae7c.exe 29 PID 1728 wrote to memory of 452 1728 ccd56bca846828d16b951b099f55ae7c.exe 29 PID 1728 wrote to memory of 452 1728 ccd56bca846828d16b951b099f55ae7c.exe 29 PID 1728 wrote to memory of 452 1728 ccd56bca846828d16b951b099f55ae7c.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccd56bca846828d16b951b099f55ae7c.exe"C:\Users\Admin\AppData\Local\Temp\ccd56bca846828d16b951b099f55ae7c.exe"1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Roaming\Audio Network Controller\iisexpress.exe"C:\Users\Admin\AppData\Roaming\Audio Network Controller\iisexpress.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:452
-