Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

c43e594b3c...f6.exe

windows7-x64

7

c43e594b3c...f6.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/10/2022, 05:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c43e594b3cf70a6264912ddd916e96b5c8c86c5c89a70b2f00315607389046f6.exe

  • Size

    280KB

  • MD5

    49f57039c3956225756f544bb987e3c0

  • SHA1

    cee23d2454fd080f7bd871b06c4846ba00318759

  • SHA256

    c43e594b3cf70a6264912ddd916e96b5c8c86c5c89a70b2f00315607389046f6

  • SHA512

    1dffbea58f49c1c709439c3da8a6c16cd2705903b5e81cee6d960fb277be1e824ff93c2b9c2d0279d43a9e1c33ec280a6eb45946d2be836d089745d7a542c107

  • SSDEEP

    6144:SsJvXdjle3O25F06ZWzC9MY/d7pUXoxTF0fLqOL1pOLfr7HHo:LvXve3kP0d/F+D/LKLfr7no

Score
7/10
persistence

Malware Config

Signatures

  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c43e594b3cf70a6264912ddd916e96b5c8c86c5c89a70b2f00315607389046f6.exe
    "C:\Users\Admin\AppData\Local\Temp\c43e594b3cf70a6264912ddd916e96b5c8c86c5c89a70b2f00315607389046f6.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Windows\SysWOW64\rUNDLL32.exe
      rUNDLL32 "C:\Users\Admin\AppData\Local\Temp\snstnnoj\snstnnoj.dll",DllRegisterServer
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:2572
    • C:\Windows\SysWOW64\Rundll32.exe
      Rundll32.exe C:\Users\Admin\AppData\Local\Adobe\vphrlzam.dll,DllCanUnloadNow
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3368

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Adobe\vphrlzam.dll
    Filesize

    538KB

    MD5

    a8f6b06e26a017e6d1ae000b9e27b631

    SHA1

    f6ca39e93612dc7d40e5c7509b229d4505267f26

    SHA256

    8db4c688301cf923f12c56fc47f5a830316e3544a822a731964400e2d76f2b8c

    SHA512

    5cb5f6e6e78a9f61bfb77d566c2ee54a4581b0c27627432d160667d75c73144c5fb6cb3b9fad08a46b85997e605946b341638e74c744c3fa11efd3ed9010008e

    Download Submit

  • C:\Users\Admin\AppData\Local\Adobe\vphrlzam.dll
    Filesize

    538KB

    MD5

    a8f6b06e26a017e6d1ae000b9e27b631

    SHA1

    f6ca39e93612dc7d40e5c7509b229d4505267f26

    SHA256

    8db4c688301cf923f12c56fc47f5a830316e3544a822a731964400e2d76f2b8c

    SHA512

    5cb5f6e6e78a9f61bfb77d566c2ee54a4581b0c27627432d160667d75c73144c5fb6cb3b9fad08a46b85997e605946b341638e74c744c3fa11efd3ed9010008e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsmCBF2.tmp\System.dll
    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\snstnnoj\fdkvamvp.dll
    Filesize

    538KB

    MD5

    a8f6b06e26a017e6d1ae000b9e27b631

    SHA1

    f6ca39e93612dc7d40e5c7509b229d4505267f26

    SHA256

    8db4c688301cf923f12c56fc47f5a830316e3544a822a731964400e2d76f2b8c

    SHA512

    5cb5f6e6e78a9f61bfb77d566c2ee54a4581b0c27627432d160667d75c73144c5fb6cb3b9fad08a46b85997e605946b341638e74c744c3fa11efd3ed9010008e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\snstnnoj\snstnnoj.dll
    Filesize

    332KB

    MD5

    1ed561899384bf22530cf843ddebdc5d

    SHA1

    44d73844fbe2225457d0f91f39e36c162ffc2a9f

    SHA256

    e26e8cb47f614fe6b4cc569752420064bd1c48c87be0f74355e5bc5afaea6b8c

    SHA512

    e3e6a4128d9f003c547e7c0bcdf2178a68431f8a2f858eb45388c95794111235ce6f65f162bf826d451de18f79440a47c2a32222e89f4b7eef4c8795e99c08e3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\snstnnoj\snstnnoj.dll
    Filesize

    332KB

    MD5

    1ed561899384bf22530cf843ddebdc5d

    SHA1

    44d73844fbe2225457d0f91f39e36c162ffc2a9f

    SHA256

    e26e8cb47f614fe6b4cc569752420064bd1c48c87be0f74355e5bc5afaea6b8c

    SHA512

    e3e6a4128d9f003c547e7c0bcdf2178a68431f8a2f858eb45388c95794111235ce6f65f162bf826d451de18f79440a47c2a32222e89f4b7eef4c8795e99c08e3

    Download Submit

  • memory/2572-138-0x0000000010000000-0x0000000010058000-memory.dmp

    Filesize

    352KB

    Download

  • memory/3028-137-0x0000000072660000-0x00000000726ED000-memory.dmp

    Filesize

    564KB

    Download

  • memory/3028-140-0x0000000072660000-0x00000000726ED000-memory.dmp

    Filesize

    564KB

    Download

  • memory/3368-143-0x0000000072660000-0x00000000726ED000-memory.dmp

    Filesize

    564KB

    Download

  • memory/3368-144-0x0000000072660000-0x00000000726ED000-memory.dmp

    Filesize

    564KB

    Download