Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
153s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
11/10/2022, 02:35
Static task
static1
Behavioral task
behavioral1
Sample
d6814d21034f2ebb85b7d0dc46faab991f753cb08dfaa81b8ff3509ba8e5b7e6.exe
Resource
win10-20220812-en
General
-
Target
d6814d21034f2ebb85b7d0dc46faab991f753cb08dfaa81b8ff3509ba8e5b7e6.exe
-
Size
1.5MB
-
MD5
b6e91cccac0d87a330be46cb97fa4f5c
-
SHA1
8cdc0bf32fcd7742885318d4552b38b30f75a3fa
-
SHA256
d6814d21034f2ebb85b7d0dc46faab991f753cb08dfaa81b8ff3509ba8e5b7e6
-
SHA512
d5d99d97c04c3b231a94b3e3768db84acc8966d89102f64b6a240dc3cd15195bc8a8548b63f71ae54a594c651cd79ce0a8aa3c994afc10d7e0e42d8878432168
-
SSDEEP
24576:b062cSEk8zNlLoUDgBvQ6/SG+CKdVl2baSRjbQty/90RJmFWWX0lbEf3nnhV8ILx:A6PahU0Nk9rVl2+SZQTmCmn/BHQaoH12
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 1064 rundll32.exe 4244 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings d6814d21034f2ebb85b7d0dc46faab991f753cb08dfaa81b8ff3509ba8e5b7e6.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2512 wrote to memory of 4988 2512 d6814d21034f2ebb85b7d0dc46faab991f753cb08dfaa81b8ff3509ba8e5b7e6.exe 66 PID 2512 wrote to memory of 4988 2512 d6814d21034f2ebb85b7d0dc46faab991f753cb08dfaa81b8ff3509ba8e5b7e6.exe 66 PID 2512 wrote to memory of 4988 2512 d6814d21034f2ebb85b7d0dc46faab991f753cb08dfaa81b8ff3509ba8e5b7e6.exe 66 PID 4988 wrote to memory of 1064 4988 control.exe 68 PID 4988 wrote to memory of 1064 4988 control.exe 68 PID 4988 wrote to memory of 1064 4988 control.exe 68 PID 1064 wrote to memory of 5004 1064 rundll32.exe 69 PID 1064 wrote to memory of 5004 1064 rundll32.exe 69 PID 5004 wrote to memory of 4244 5004 RunDll32.exe 70 PID 5004 wrote to memory of 4244 5004 RunDll32.exe 70 PID 5004 wrote to memory of 4244 5004 RunDll32.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6814d21034f2ebb85b7d0dc46faab991f753cb08dfaa81b8ff3509ba8e5b7e6.exe"C:\Users\Admin\AppData\Local\Temp\d6814d21034f2ebb85b7d0dc46faab991f753cb08dfaa81b8ff3509ba8e5b7e6.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\_eDQB5GH.cpL",2⤵
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\_eDQB5GH.cpL",3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\_eDQB5GH.cpL",4⤵
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\_eDQB5GH.cpL",5⤵
- Loads dropped DLL
PID:4244
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD538cac0563a92fd1ef28616dc9355a696
SHA13fe0518b1741546f1c82d1281f69f476bd571b95
SHA256fa4f68944ad1e192c4c10c1bb4602577e4de29e82b45989c55e845b291d2cec8
SHA512e21a017e14b2d446827d39bdb4f54a43fa83dc9c6af15adcf851f53759458603c6720a6df8682af794421e0020932755028f9dfe50c640419488ca09ee407047
-
Filesize
1.4MB
MD538cac0563a92fd1ef28616dc9355a696
SHA13fe0518b1741546f1c82d1281f69f476bd571b95
SHA256fa4f68944ad1e192c4c10c1bb4602577e4de29e82b45989c55e845b291d2cec8
SHA512e21a017e14b2d446827d39bdb4f54a43fa83dc9c6af15adcf851f53759458603c6720a6df8682af794421e0020932755028f9dfe50c640419488ca09ee407047
-
Filesize
1.4MB
MD538cac0563a92fd1ef28616dc9355a696
SHA13fe0518b1741546f1c82d1281f69f476bd571b95
SHA256fa4f68944ad1e192c4c10c1bb4602577e4de29e82b45989c55e845b291d2cec8
SHA512e21a017e14b2d446827d39bdb4f54a43fa83dc9c6af15adcf851f53759458603c6720a6df8682af794421e0020932755028f9dfe50c640419488ca09ee407047