Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
08/09/2022, 19:43
Static task
static1
Behavioral task
behavioral1
Sample
7103edc262cb73b94bd77da978ad0313.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
7103edc262cb73b94bd77da978ad0313.exe
Resource
win10v2004-20220812-en
General
-
Target
7103edc262cb73b94bd77da978ad0313.exe
-
Size
320KB
-
MD5
7103edc262cb73b94bd77da978ad0313
-
SHA1
eb2e71fbc36e69d7f60631b889ce4a389f8b92c6
-
SHA256
dcd72e70333a95c4c07bf37b53686b7121543d0994b7357c54c1c917072daef9
-
SHA512
1917c41802430d85ca29a6e801395ed157e1f72264eceef38c0a0a296ac54adc4f92bf0ec282156ad4b355afdb73f9647632f1e123ff7bec3b5c56507a1450b5
-
SSDEEP
3072:lbRXn2p4B/51pzVyqZ5iQ88ZJmj3h2OdyC9aNhw3cvo2bDi5fBbHHD+FtW89:lb9+g/pzVwQ82Jm7h2As36CtaJHjN89
Malware Config
Signatures
-
GandCrab payload 4 IoCs
resource yara_rule behavioral1/memory/1388-56-0x0000000000400000-0x000000000238C000-memory.dmp family_gandcrab behavioral1/memory/1388-59-0x0000000000370000-0x0000000000387000-memory.dmp family_gandcrab behavioral1/memory/1388-62-0x0000000000400000-0x000000000238C000-memory.dmp family_gandcrab behavioral1/memory/1388-64-0x0000000000370000-0x0000000000387000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 7103edc262cb73b94bd77da978ad0313.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hdcvsuqhpbr = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\gtronh.exe\"" 7103edc262cb73b94bd77da978ad0313.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: 7103edc262cb73b94bd77da978ad0313.exe File opened (read-only) \??\K: 7103edc262cb73b94bd77da978ad0313.exe File opened (read-only) \??\L: 7103edc262cb73b94bd77da978ad0313.exe File opened (read-only) \??\Y: 7103edc262cb73b94bd77da978ad0313.exe File opened (read-only) \??\E: 7103edc262cb73b94bd77da978ad0313.exe File opened (read-only) \??\I: 7103edc262cb73b94bd77da978ad0313.exe File opened (read-only) \??\Q: 7103edc262cb73b94bd77da978ad0313.exe File opened (read-only) \??\R: 7103edc262cb73b94bd77da978ad0313.exe File opened (read-only) \??\T: 7103edc262cb73b94bd77da978ad0313.exe File opened (read-only) \??\W: 7103edc262cb73b94bd77da978ad0313.exe File opened (read-only) \??\N: 7103edc262cb73b94bd77da978ad0313.exe File opened (read-only) \??\O: 7103edc262cb73b94bd77da978ad0313.exe File opened (read-only) \??\P: 7103edc262cb73b94bd77da978ad0313.exe File opened (read-only) \??\U: 7103edc262cb73b94bd77da978ad0313.exe File opened (read-only) \??\X: 7103edc262cb73b94bd77da978ad0313.exe File opened (read-only) \??\Z: 7103edc262cb73b94bd77da978ad0313.exe File opened (read-only) \??\V: 7103edc262cb73b94bd77da978ad0313.exe File opened (read-only) \??\A: 7103edc262cb73b94bd77da978ad0313.exe File opened (read-only) \??\F: 7103edc262cb73b94bd77da978ad0313.exe File opened (read-only) \??\G: 7103edc262cb73b94bd77da978ad0313.exe File opened (read-only) \??\H: 7103edc262cb73b94bd77da978ad0313.exe File opened (read-only) \??\J: 7103edc262cb73b94bd77da978ad0313.exe File opened (read-only) \??\M: 7103edc262cb73b94bd77da978ad0313.exe File opened (read-only) \??\S: 7103edc262cb73b94bd77da978ad0313.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 7103edc262cb73b94bd77da978ad0313.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 7103edc262cb73b94bd77da978ad0313.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 7103edc262cb73b94bd77da978ad0313.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1388 7103edc262cb73b94bd77da978ad0313.exe 1388 7103edc262cb73b94bd77da978ad0313.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1388 wrote to memory of 952 1388 7103edc262cb73b94bd77da978ad0313.exe 26 PID 1388 wrote to memory of 952 1388 7103edc262cb73b94bd77da978ad0313.exe 26 PID 1388 wrote to memory of 952 1388 7103edc262cb73b94bd77da978ad0313.exe 26 PID 1388 wrote to memory of 952 1388 7103edc262cb73b94bd77da978ad0313.exe 26 PID 1388 wrote to memory of 1956 1388 7103edc262cb73b94bd77da978ad0313.exe 28 PID 1388 wrote to memory of 1956 1388 7103edc262cb73b94bd77da978ad0313.exe 28 PID 1388 wrote to memory of 1956 1388 7103edc262cb73b94bd77da978ad0313.exe 28 PID 1388 wrote to memory of 1956 1388 7103edc262cb73b94bd77da978ad0313.exe 28 PID 1388 wrote to memory of 672 1388 7103edc262cb73b94bd77da978ad0313.exe 30 PID 1388 wrote to memory of 672 1388 7103edc262cb73b94bd77da978ad0313.exe 30 PID 1388 wrote to memory of 672 1388 7103edc262cb73b94bd77da978ad0313.exe 30 PID 1388 wrote to memory of 672 1388 7103edc262cb73b94bd77da978ad0313.exe 30 PID 1388 wrote to memory of 1668 1388 7103edc262cb73b94bd77da978ad0313.exe 32 PID 1388 wrote to memory of 1668 1388 7103edc262cb73b94bd77da978ad0313.exe 32 PID 1388 wrote to memory of 1668 1388 7103edc262cb73b94bd77da978ad0313.exe 32 PID 1388 wrote to memory of 1668 1388 7103edc262cb73b94bd77da978ad0313.exe 32 PID 1388 wrote to memory of 1204 1388 7103edc262cb73b94bd77da978ad0313.exe 34 PID 1388 wrote to memory of 1204 1388 7103edc262cb73b94bd77da978ad0313.exe 34 PID 1388 wrote to memory of 1204 1388 7103edc262cb73b94bd77da978ad0313.exe 34 PID 1388 wrote to memory of 1204 1388 7103edc262cb73b94bd77da978ad0313.exe 34 PID 1388 wrote to memory of 932 1388 7103edc262cb73b94bd77da978ad0313.exe 36 PID 1388 wrote to memory of 932 1388 7103edc262cb73b94bd77da978ad0313.exe 36 PID 1388 wrote to memory of 932 1388 7103edc262cb73b94bd77da978ad0313.exe 36 PID 1388 wrote to memory of 932 1388 7103edc262cb73b94bd77da978ad0313.exe 36 PID 1388 wrote to memory of 1164 1388 7103edc262cb73b94bd77da978ad0313.exe 38 PID 1388 wrote to memory of 1164 1388 7103edc262cb73b94bd77da978ad0313.exe 38 PID 1388 wrote to memory of 1164 1388 7103edc262cb73b94bd77da978ad0313.exe 38 PID 1388 wrote to memory of 1164 1388 7103edc262cb73b94bd77da978ad0313.exe 38 PID 1388 wrote to memory of 1580 1388 7103edc262cb73b94bd77da978ad0313.exe 40 PID 1388 wrote to memory of 1580 1388 7103edc262cb73b94bd77da978ad0313.exe 40 PID 1388 wrote to memory of 1580 1388 7103edc262cb73b94bd77da978ad0313.exe 40 PID 1388 wrote to memory of 1580 1388 7103edc262cb73b94bd77da978ad0313.exe 40 PID 1388 wrote to memory of 1960 1388 7103edc262cb73b94bd77da978ad0313.exe 42 PID 1388 wrote to memory of 1960 1388 7103edc262cb73b94bd77da978ad0313.exe 42 PID 1388 wrote to memory of 1960 1388 7103edc262cb73b94bd77da978ad0313.exe 42 PID 1388 wrote to memory of 1960 1388 7103edc262cb73b94bd77da978ad0313.exe 42 PID 1388 wrote to memory of 1680 1388 7103edc262cb73b94bd77da978ad0313.exe 44 PID 1388 wrote to memory of 1680 1388 7103edc262cb73b94bd77da978ad0313.exe 44 PID 1388 wrote to memory of 1680 1388 7103edc262cb73b94bd77da978ad0313.exe 44 PID 1388 wrote to memory of 1680 1388 7103edc262cb73b94bd77da978ad0313.exe 44 PID 1388 wrote to memory of 1640 1388 7103edc262cb73b94bd77da978ad0313.exe 46 PID 1388 wrote to memory of 1640 1388 7103edc262cb73b94bd77da978ad0313.exe 46 PID 1388 wrote to memory of 1640 1388 7103edc262cb73b94bd77da978ad0313.exe 46 PID 1388 wrote to memory of 1640 1388 7103edc262cb73b94bd77da978ad0313.exe 46 PID 1388 wrote to memory of 1480 1388 7103edc262cb73b94bd77da978ad0313.exe 48 PID 1388 wrote to memory of 1480 1388 7103edc262cb73b94bd77da978ad0313.exe 48 PID 1388 wrote to memory of 1480 1388 7103edc262cb73b94bd77da978ad0313.exe 48 PID 1388 wrote to memory of 1480 1388 7103edc262cb73b94bd77da978ad0313.exe 48 PID 1388 wrote to memory of 1632 1388 7103edc262cb73b94bd77da978ad0313.exe 50 PID 1388 wrote to memory of 1632 1388 7103edc262cb73b94bd77da978ad0313.exe 50 PID 1388 wrote to memory of 1632 1388 7103edc262cb73b94bd77da978ad0313.exe 50 PID 1388 wrote to memory of 1632 1388 7103edc262cb73b94bd77da978ad0313.exe 50 PID 1388 wrote to memory of 836 1388 7103edc262cb73b94bd77da978ad0313.exe 52 PID 1388 wrote to memory of 836 1388 7103edc262cb73b94bd77da978ad0313.exe 52 PID 1388 wrote to memory of 836 1388 7103edc262cb73b94bd77da978ad0313.exe 52 PID 1388 wrote to memory of 836 1388 7103edc262cb73b94bd77da978ad0313.exe 52 PID 1388 wrote to memory of 1860 1388 7103edc262cb73b94bd77da978ad0313.exe 54 PID 1388 wrote to memory of 1860 1388 7103edc262cb73b94bd77da978ad0313.exe 54 PID 1388 wrote to memory of 1860 1388 7103edc262cb73b94bd77da978ad0313.exe 54 PID 1388 wrote to memory of 1860 1388 7103edc262cb73b94bd77da978ad0313.exe 54 PID 1388 wrote to memory of 1596 1388 7103edc262cb73b94bd77da978ad0313.exe 56 PID 1388 wrote to memory of 1596 1388 7103edc262cb73b94bd77da978ad0313.exe 56 PID 1388 wrote to memory of 1596 1388 7103edc262cb73b94bd77da978ad0313.exe 56 PID 1388 wrote to memory of 1596 1388 7103edc262cb73b94bd77da978ad0313.exe 56
Processes
-
C:\Users\Admin\AppData\Local\Temp\7103edc262cb73b94bd77da978ad0313.exe"C:\Users\Admin\AppData\Local\Temp\7103edc262cb73b94bd77da978ad0313.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:952
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:1956
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:672
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1668
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:1204
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:932
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1164
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1580
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:1960
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:1680
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1640
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1480
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:1632
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:836
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1860
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1596
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:1476
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:1068
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1188
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1964
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:1720
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:2028
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:272
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1008
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:1544
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:1004
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:856
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1052
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:1000
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:360
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:2012
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1564
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:1592
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:968
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1572
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1772
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:1740
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:1180
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1952
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:960
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:1728
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:1320
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1608
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1660
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:760
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:800
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:240
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1692
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:1352
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:1732
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:432
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1216
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:580
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:1600
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1552
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:632
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:688
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:1748
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1604
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1376
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:1936
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:1452
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:1088
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns1.wowservers.ru2⤵PID:1324
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns1.wowservers.ru2⤵PID:1700
-
-
C:\Windows\SysWOW64\nslookup.exenslookup ransomware.bit ns2.wowservers.ru2⤵PID:544
-
-
C:\Windows\SysWOW64\nslookup.exenslookup carder.bit ns2.wowservers.ru2⤵PID:976
-