Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
71s -
max time network
133s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
09/10/2022, 22:51
Static task
static1
Behavioral task
behavioral1
Sample
f7802080169143977cd1993117ac55a6fd2f6ae23ebce1fde7ca5340f8abad66.exe
Resource
win10-20220812-en
General
-
Target
f7802080169143977cd1993117ac55a6fd2f6ae23ebce1fde7ca5340f8abad66.exe
-
Size
1.9MB
-
MD5
27fb5780e8b67db65713bf9c270b2dc7
-
SHA1
433eaac26c37f2fb19cbefd08ce3fba911403323
-
SHA256
f7802080169143977cd1993117ac55a6fd2f6ae23ebce1fde7ca5340f8abad66
-
SHA512
d281a13cbd6aaf7497f3aafc24b5febaa07fe377f45e6c922178369555aefb4f53014500521b3a2d4a57ac838bedf62b7b4ca482c6b0ddb7733d3312c2ed7ba1
-
SSDEEP
49152:C3dYyh7vObeX4tyHqzhbkOmI9/vvSYe6ZT:CeyBOKXsyKFYzS/X/eE
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 4308 rundll32.exe 4308 rundll32.exe 3936 rundll32.exe 3936 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings f7802080169143977cd1993117ac55a6fd2f6ae23ebce1fde7ca5340f8abad66.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2244 wrote to memory of 2540 2244 f7802080169143977cd1993117ac55a6fd2f6ae23ebce1fde7ca5340f8abad66.exe 67 PID 2244 wrote to memory of 2540 2244 f7802080169143977cd1993117ac55a6fd2f6ae23ebce1fde7ca5340f8abad66.exe 67 PID 2244 wrote to memory of 2540 2244 f7802080169143977cd1993117ac55a6fd2f6ae23ebce1fde7ca5340f8abad66.exe 67 PID 2540 wrote to memory of 4308 2540 control.exe 69 PID 2540 wrote to memory of 4308 2540 control.exe 69 PID 2540 wrote to memory of 4308 2540 control.exe 69 PID 4308 wrote to memory of 3148 4308 rundll32.exe 70 PID 4308 wrote to memory of 3148 4308 rundll32.exe 70 PID 3148 wrote to memory of 3936 3148 RunDll32.exe 71 PID 3148 wrote to memory of 3936 3148 RunDll32.exe 71 PID 3148 wrote to memory of 3936 3148 RunDll32.exe 71
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7802080169143977cd1993117ac55a6fd2f6ae23ebce1fde7ca5340f8abad66.exe"C:\Users\Admin\AppData\Local\Temp\f7802080169143977cd1993117ac55a6fd2f6ae23ebce1fde7ca5340f8abad66.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\VQH1CRLu.CPL",2⤵
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\VQH1CRLu.CPL",3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\VQH1CRLu.CPL",4⤵
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\VQH1CRLu.CPL",5⤵
- Loads dropped DLL
PID:3936
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5dc3a8fdcdc7a18ae814b13a39e7396a0
SHA126506cd05d2447e40da816cbeb007c2b037b1b47
SHA256babf409dc0edea7f42ef03dd944231a513a9f9d75fb7ffd6c1cde64c8f099be1
SHA512fca9bb3fa178eb8c9527cfc0a4d00341cf9687e7d6fed84674bbec12e5fd5225a3a8079e535ac128496ee0e01ff2c6e3d37806c28fc982324afbb2caa7708735
-
Filesize
1.7MB
MD5dc3a8fdcdc7a18ae814b13a39e7396a0
SHA126506cd05d2447e40da816cbeb007c2b037b1b47
SHA256babf409dc0edea7f42ef03dd944231a513a9f9d75fb7ffd6c1cde64c8f099be1
SHA512fca9bb3fa178eb8c9527cfc0a4d00341cf9687e7d6fed84674bbec12e5fd5225a3a8079e535ac128496ee0e01ff2c6e3d37806c28fc982324afbb2caa7708735
-
Filesize
1.7MB
MD5dc3a8fdcdc7a18ae814b13a39e7396a0
SHA126506cd05d2447e40da816cbeb007c2b037b1b47
SHA256babf409dc0edea7f42ef03dd944231a513a9f9d75fb7ffd6c1cde64c8f099be1
SHA512fca9bb3fa178eb8c9527cfc0a4d00341cf9687e7d6fed84674bbec12e5fd5225a3a8079e535ac128496ee0e01ff2c6e3d37806c28fc982324afbb2caa7708735
-
Filesize
1.7MB
MD5dc3a8fdcdc7a18ae814b13a39e7396a0
SHA126506cd05d2447e40da816cbeb007c2b037b1b47
SHA256babf409dc0edea7f42ef03dd944231a513a9f9d75fb7ffd6c1cde64c8f099be1
SHA512fca9bb3fa178eb8c9527cfc0a4d00341cf9687e7d6fed84674bbec12e5fd5225a3a8079e535ac128496ee0e01ff2c6e3d37806c28fc982324afbb2caa7708735
-
Filesize
1.7MB
MD5dc3a8fdcdc7a18ae814b13a39e7396a0
SHA126506cd05d2447e40da816cbeb007c2b037b1b47
SHA256babf409dc0edea7f42ef03dd944231a513a9f9d75fb7ffd6c1cde64c8f099be1
SHA512fca9bb3fa178eb8c9527cfc0a4d00341cf9687e7d6fed84674bbec12e5fd5225a3a8079e535ac128496ee0e01ff2c6e3d37806c28fc982324afbb2caa7708735