Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

75eb10f7d4...08.exe

windows7-x64

7

75eb10f7d4...08.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2022, 16:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    75eb10f7d4f2503abf1d36175e5de50df1efbb7853aa9ed9ecbb98f827847308.exe

  • Size

    14KB

  • MD5

    cc38d96413fd60ef3e64ef58d27101e6

  • SHA1

    e5eeef43a698c992c99691939a885dd7f937cb75

  • SHA256

    75eb10f7d4f2503abf1d36175e5de50df1efbb7853aa9ed9ecbb98f827847308

  • SHA512

    c5e768484e23751640a992461885671b2f6d2ec5f434146fd723a8a3be4b5090e84f54db9ae9cb2b05c52dbc00576dab719e8758903e76ba37e5a239d00cf528

  • SSDEEP

    384:jxNR77zN0w638TNFTBs16QCzOcg9FgiKa:jxN17zn66W2zONFgiKa

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 9 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\75eb10f7d4f2503abf1d36175e5de50df1efbb7853aa9ed9ecbb98f827847308.exe
    "C:\Users\Admin\AppData\Local\Temp\75eb10f7d4f2503abf1d36175e5de50df1efbb7853aa9ed9ecbb98f827847308.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4828
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat""
      2⤵
      • Enumerates connected drives
      • Suspicious use of WriteProcessMemory
      PID:4448
      • C:\Windows\SysWOW64\attrib.exe
        attrib -r -a -s -h c:\boot.ini
        3⤵
        • Views/modifies file attributes
        PID:1976
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat" "
      2⤵
        PID:372

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat
      Filesize

      1KB

      MD5

      dfbec89c53cc55f499f2f84f92a08ad9

      SHA1

      272777956848fcecfa4548496594a1066c59ee74

      SHA256

      edc7e51df8ac5debc7007d77779f1a0074efa6fd77cb9b127eb415f37a44b455

      SHA512

      db7864d7acdd9caf4cf765294e350aad5cf03b9c84bde54e99f296c947c65d0cebfdb4a4081d3ed3a89739f9583fc26cca5801b23f6a8d8281bd343b1fe1e4d7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat
      Filesize

      164B

      MD5

      3d4fda05c7e6bac8194c9a5eb2b97b23

      SHA1

      9e4b269d07896a410f2c4b37cde5b83b3ace580e

      SHA256

      a63904f88a513617b392b0a450a78198a3b1d808f07a82ca6c6da9280736aa96

      SHA512

      3495bbf0eeef62105350f57984b114ff6faa8eb8a5423ad3d3d72adea8d12e35fb7218951aa5968d7330178c8db82b014c97ffd6ff6518200b95cc9750a2b3d0

      Download Submit

    • memory/4828-134-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download