Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    51s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2022, 15:06 UTC

General

  • Target

    1a1ee0cb123de2f7837dc8c40925915e073308580eee1801246275413faf23ad.exe

  • Size

    30KB

  • MD5

    4aa700997c74c883205264f8486f39b0

  • SHA1

    ab705bebb151a6df5824cbfcd7d9eb480e3e124d

  • SHA256

    1a1ee0cb123de2f7837dc8c40925915e073308580eee1801246275413faf23ad

  • SHA512

    610099a2fb90d039576caf9f57c7da35066864f7025799952fc44ae4b2657d76ce4c627550c225260f2ce8660fd517c07f82885c8bde650dabd9f5f60e47abd5

  • SSDEEP

    384:pAcTAjVwMatOwS58YwWdFeaeohweCvklV4Viq1cKqkI:pZTAa/OZj74FrI

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a1ee0cb123de2f7837dc8c40925915e073308580eee1801246275413faf23ad.exe
    "C:\Users\Admin\AppData\Local\Temp\1a1ee0cb123de2f7837dc8c40925915e073308580eee1801246275413faf23ad.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Users\Admin\AppData\Local\Temp\budha.exe
      "C:\Users\Admin\AppData\Local\Temp\budha.exe"
      2⤵
      • Executes dropped EXE
      • Modifies system certificate store
      PID:616

Network

  • flag-us
    DNS
    ren7oaks.co.uk
    budha.exe
    Remote address:
    8.8.8.8:53
    Request
    ren7oaks.co.uk
    IN A
    Response
    ren7oaks.co.uk
    IN A
    162.241.140.161
  • flag-us
    GET
    http://ren7oaks.co.uk/images/al2701.enc
    budha.exe
    Remote address:
    162.241.140.161:80
    Request
    GET /images/al2701.enc HTTP/1.1
    Accept: text/*, application/*
    User-Agent: Updates downloader
    Host: ren7oaks.co.uk
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Mon, 03 Oct 2022 15:39:32 GMT
    Server: Apache
    Expires: Wed, 17 Aug 2005 00:00:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
    Set-Cookie: 958767c65bfefe5ec43dec5d676db193=cf81d13b739b1ed1af18b50b77d803ec; path=/; secure; HttpOnly
    X-Content-Type-Options: nosniff
    Upgrade: h2,h2c
    Connection: Upgrade
    Location: https://ren7oaks.co.uk/images/al2701.enc
    Last-Modified: Mon, 03 Oct 2022 15:39:32 GMT
    Content-Length: 0
    Content-Type: text/html; charset=utf-8
  • flag-us
    GET
    https://ren7oaks.co.uk/images/al2701.enc
    budha.exe
    Remote address:
    162.241.140.161:443
    Request
    GET /images/al2701.enc HTTP/1.1
    Accept: text/*, application/*
    User-Agent: Updates downloader
    Host: ren7oaks.co.uk
    Cache-Control: no-cache
    Connection: Keep-Alive
    Cookie: 958767c65bfefe5ec43dec5d676db193=cf81d13b739b1ed1af18b50b77d803ec
    Response
    HTTP/1.1 404 Not Found
    Date: Mon, 03 Oct 2022 15:39:35 GMT
    Server: Apache
    Cache-Control: no-cache
    Pragma: no-cache
    X-Content-Type-Options: nosniff
    Upgrade: h2,h2c
    Connection: Upgrade, Keep-Alive
    Keep-Alive: timeout=5, max=100
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    apps.identrust.com
    budha.exe
    Remote address:
    8.8.8.8:53
    Request
    apps.identrust.com
    IN A
    Response
    apps.identrust.com
    IN CNAME
    identrust.edgesuite.net
    identrust.edgesuite.net
    IN CNAME
    a1952.dscq.akamai.net
    a1952.dscq.akamai.net
    IN A
    96.16.53.134
    a1952.dscq.akamai.net
    IN A
    96.16.53.139
  • flag-nl
    GET
    http://apps.identrust.com/roots/dstrootcax3.p7c
    budha.exe
    Remote address:
    96.16.53.134:80
    Request
    GET /roots/dstrootcax3.p7c HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: apps.identrust.com
    Response
    HTTP/1.1 200 OK
    X-XSS-Protection: 1; mode=block
    Strict-Transport-Security: max-age=15768000
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Content-Security-Policy: default-src 'self' *.identrust.com
    Last-Modified: Mon, 20 Jun 2022 20:24:00 GMT
    ETag: "37d-5e1e6e25c9800"
    Accept-Ranges: bytes
    Content-Length: 893
    X-Content-Type-Options: nosniff
    X-Frame-Options: sameorigin
    Content-Type: application/pkcs7-mime
    Cache-Control: max-age=3600
    Expires: Mon, 03 Oct 2022 16:39:34 GMT
    Date: Mon, 03 Oct 2022 15:39:34 GMT
    Connection: keep-alive
  • 162.241.140.161:80
    http://ren7oaks.co.uk/images/al2701.enc
    http
    budha.exe
    381 B
    1.3kB
    5
    4

    HTTP Request

    GET http://ren7oaks.co.uk/images/al2701.enc

    HTTP Response

    301
  • 162.241.140.161:443
    https://ren7oaks.co.uk/images/al2701.enc
    tls, http
    budha.exe
    1.7kB
    24.0kB
    19
    24

    HTTP Request

    GET https://ren7oaks.co.uk/images/al2701.enc

    HTTP Response

    404
  • 96.16.53.134:80
    http://apps.identrust.com/roots/dstrootcax3.p7c
    http
    budha.exe
    369 B
    1.6kB
    5
    4

    HTTP Request

    GET http://apps.identrust.com/roots/dstrootcax3.p7c

    HTTP Response

    200
  • 8.8.8.8:53
    ren7oaks.co.uk
    dns
    budha.exe
    60 B
    76 B
    1
    1

    DNS Request

    ren7oaks.co.uk

    DNS Response

    162.241.140.161

  • 8.8.8.8:53
    apps.identrust.com
    dns
    budha.exe
    64 B
    165 B
    1
    1

    DNS Request

    apps.identrust.com

    DNS Response

    96.16.53.134
    96.16.53.139

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\budha.exe

    Filesize

    30KB

    MD5

    c113b8866cfa599d9b271a6942fd5770

    SHA1

    ec8193677922a425e49c29743c125566cafb4728

    SHA256

    48ca98ff3941c47afc0440c83e7ceed9bd0b16191296c1e676a73a7570d49002

    SHA512

    cbe5fc0316ccc485bdd2d556efed0d7663e5614cceba29f1248fe208c1a4cd99a2644fd74d8bf8adda8f9f69b44d4babd7a66e6e9c96d2efe3f8734dce996f48

  • C:\Users\Admin\AppData\Local\Temp\budha.exe

    Filesize

    30KB

    MD5

    c113b8866cfa599d9b271a6942fd5770

    SHA1

    ec8193677922a425e49c29743c125566cafb4728

    SHA256

    48ca98ff3941c47afc0440c83e7ceed9bd0b16191296c1e676a73a7570d49002

    SHA512

    cbe5fc0316ccc485bdd2d556efed0d7663e5614cceba29f1248fe208c1a4cd99a2644fd74d8bf8adda8f9f69b44d4babd7a66e6e9c96d2efe3f8734dce996f48

  • \Users\Admin\AppData\Local\Temp\budha.exe

    Filesize

    30KB

    MD5

    c113b8866cfa599d9b271a6942fd5770

    SHA1

    ec8193677922a425e49c29743c125566cafb4728

    SHA256

    48ca98ff3941c47afc0440c83e7ceed9bd0b16191296c1e676a73a7570d49002

    SHA512

    cbe5fc0316ccc485bdd2d556efed0d7663e5614cceba29f1248fe208c1a4cd99a2644fd74d8bf8adda8f9f69b44d4babd7a66e6e9c96d2efe3f8734dce996f48

  • memory/616-63-0x00000000004C0000-0x00000000004C7000-memory.dmp

    Filesize

    28KB

  • memory/616-64-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2036-54-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2036-55-0x0000000076151000-0x0000000076153000-memory.dmp

    Filesize

    8KB

  • memory/2036-56-0x00000000004E0000-0x00000000004E7000-memory.dmp

    Filesize

    28KB

  • memory/2036-60-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.