Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    167s
  • max time network
    172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/10/2022, 19:25

General

  • Target

    96c394b741b7451872c658be5aa1283d.exe

  • Size

    73KB

  • MD5

    96c394b741b7451872c658be5aa1283d

  • SHA1

    b00a0c4073a1192e8061c11521f00a167ba76df7

  • SHA256

    34a76a64e1a7a96c82f37c25c3861cb959584497e3d4bf8344ea7468a1b925a8

  • SHA512

    3d777d58b44518a08c77ddc366821fc4d7906f4b6c68bd794328a1fc0a47a895785ce47b97eee74de617cf0ba358546b1f3a4875907b60446b5f60c798674400

  • SSDEEP

    1536:JgSeGDjtQhnwmmB0yjMqqUM2mr3IdE8mne0Avu5r++yy7CA7GcIaapavdv:JMSjOnrmBbMqqMmr3IdE8we0Avu5r++N

Score
6/10

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\96c394b741b7451872c658be5aa1283d.exe
    "C:\Users\Admin\AppData\Local\Temp\96c394b741b7451872c658be5aa1283d.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4832
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup nomoreransom.bit dns1.soprodns.ru
      2⤵
        PID:4976
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup emsisoft.bit dns1.soprodns.ru
        2⤵
          PID:4408
        • C:\Windows\SysWOW64\nslookup.exe
          nslookup gandcrab.bit dns1.soprodns.ru
          2⤵
            PID:4312
          • C:\Windows\SysWOW64\nslookup.exe
            nslookup nomoreransom.bit dns1.soprodns.ru
            2⤵
              PID:2816
            • C:\Windows\SysWOW64\nslookup.exe
              nslookup emsisoft.bit dns1.soprodns.ru
              2⤵
                PID:4996
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup gandcrab.bit dns1.soprodns.ru
                2⤵
                  PID:2788
                • C:\Windows\SysWOW64\nslookup.exe
                  nslookup nomoreransom.bit dns1.soprodns.ru
                  2⤵
                    PID:4280
                  • C:\Windows\SysWOW64\nslookup.exe
                    nslookup emsisoft.bit dns1.soprodns.ru
                    2⤵
                      PID:2576
                    • C:\Windows\SysWOW64\nslookup.exe
                      nslookup gandcrab.bit dns1.soprodns.ru
                      2⤵
                        PID:5044
                      • C:\Windows\SysWOW64\nslookup.exe
                        nslookup nomoreransom.bit dns1.soprodns.ru
                        2⤵
                          PID:3320
                        • C:\Windows\SysWOW64\nslookup.exe
                          nslookup emsisoft.bit dns1.soprodns.ru
                          2⤵
                            PID:2052
                          • C:\Windows\SysWOW64\nslookup.exe
                            nslookup gandcrab.bit dns1.soprodns.ru
                            2⤵
                              PID:3376

                          Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads