Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
161s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11/10/2022, 15:43
Static task
static1
Behavioral task
behavioral1
Sample
ffbce5da231d0da4b9ae8293524da8c6d737ab82635e9e0ec99e939adf38d268.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ffbce5da231d0da4b9ae8293524da8c6d737ab82635e9e0ec99e939adf38d268.exe
Resource
win10v2004-20220812-en
General
-
Target
ffbce5da231d0da4b9ae8293524da8c6d737ab82635e9e0ec99e939adf38d268.exe
-
Size
206KB
-
MD5
00896d0fabce787ef836b79030937a20
-
SHA1
133809d80bc189c87c623c191694862b42eac214
-
SHA256
ffbce5da231d0da4b9ae8293524da8c6d737ab82635e9e0ec99e939adf38d268
-
SHA512
4b301755d0d9b6979decd645d298db8a5366b78a2b7a59921daefc23e2a0656d6b15d6b7340e4b7fdc7aee83f279a7bc031d0bca455362fd748cce539f2de103
-
SSDEEP
3072:bS8BCfoDaXJNMqxvMiDu166YZQrA69RElT+vMZkjCSfCwPEIsmE3D8A+QwGCipii:bPB6EqxUHLYO4YMZgCaCFz8Gag
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 960 NvdUpd.exe 2036 NvdUpd.exe -
Loads dropped DLL 3 IoCs
pid Process 1732 ffbce5da231d0da4b9ae8293524da8c6d737ab82635e9e0ec99e939adf38d268.exe 1732 ffbce5da231d0da4b9ae8293524da8c6d737ab82635e9e0ec99e939adf38d268.exe 1732 ffbce5da231d0da4b9ae8293524da8c6d737ab82635e9e0ec99e939adf38d268.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run ffbce5da231d0da4b9ae8293524da8c6d737ab82635e9e0ec99e939adf38d268.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvUpdSrv = "C:\\Users\\Admin\\AppData\\Local\\NVIDIA Corporation\\Updates\\NvdUpd.exe" ffbce5da231d0da4b9ae8293524da8c6d737ab82635e9e0ec99e939adf38d268.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 960 set thread context of 2036 960 NvdUpd.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 960 NvdUpd.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 960 NvdUpd.exe 960 NvdUpd.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1732 wrote to memory of 960 1732 ffbce5da231d0da4b9ae8293524da8c6d737ab82635e9e0ec99e939adf38d268.exe 27 PID 1732 wrote to memory of 960 1732 ffbce5da231d0da4b9ae8293524da8c6d737ab82635e9e0ec99e939adf38d268.exe 27 PID 1732 wrote to memory of 960 1732 ffbce5da231d0da4b9ae8293524da8c6d737ab82635e9e0ec99e939adf38d268.exe 27 PID 1732 wrote to memory of 960 1732 ffbce5da231d0da4b9ae8293524da8c6d737ab82635e9e0ec99e939adf38d268.exe 27 PID 960 wrote to memory of 2036 960 NvdUpd.exe 28 PID 960 wrote to memory of 2036 960 NvdUpd.exe 28 PID 960 wrote to memory of 2036 960 NvdUpd.exe 28 PID 960 wrote to memory of 2036 960 NvdUpd.exe 28 PID 960 wrote to memory of 2036 960 NvdUpd.exe 28 PID 960 wrote to memory of 2036 960 NvdUpd.exe 28 PID 960 wrote to memory of 2036 960 NvdUpd.exe 28 PID 960 wrote to memory of 2036 960 NvdUpd.exe 28 PID 960 wrote to memory of 2036 960 NvdUpd.exe 28 PID 960 wrote to memory of 2036 960 NvdUpd.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffbce5da231d0da4b9ae8293524da8c6d737ab82635e9e0ec99e939adf38d268.exe"C:\Users\Admin\AppData\Local\Temp\ffbce5da231d0da4b9ae8293524da8c6d737ab82635e9e0ec99e939adf38d268.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"3⤵
- Executes dropped EXE
PID:2036
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
278KB
MD5f84d1bc60890aa2178c02828deeb38b7
SHA1aa83705876f9a252eb34231b738f9f46a24a45db
SHA256d82215e69b7933fc31161538b73f4d8fc1a297f2b25a1a27c7cf8e5ebff3d764
SHA51211c1d2166140f641250c8190f677df3a137778606f68cffa7354a13fbbe7ebcb34fa799d2dc78d08432a8fb9d9259fbf872197e961d32ddc046aa6ba35aa02c3
-
Filesize
278KB
MD5f84d1bc60890aa2178c02828deeb38b7
SHA1aa83705876f9a252eb34231b738f9f46a24a45db
SHA256d82215e69b7933fc31161538b73f4d8fc1a297f2b25a1a27c7cf8e5ebff3d764
SHA51211c1d2166140f641250c8190f677df3a137778606f68cffa7354a13fbbe7ebcb34fa799d2dc78d08432a8fb9d9259fbf872197e961d32ddc046aa6ba35aa02c3
-
Filesize
278KB
MD5f84d1bc60890aa2178c02828deeb38b7
SHA1aa83705876f9a252eb34231b738f9f46a24a45db
SHA256d82215e69b7933fc31161538b73f4d8fc1a297f2b25a1a27c7cf8e5ebff3d764
SHA51211c1d2166140f641250c8190f677df3a137778606f68cffa7354a13fbbe7ebcb34fa799d2dc78d08432a8fb9d9259fbf872197e961d32ddc046aa6ba35aa02c3
-
Filesize
278KB
MD5f84d1bc60890aa2178c02828deeb38b7
SHA1aa83705876f9a252eb34231b738f9f46a24a45db
SHA256d82215e69b7933fc31161538b73f4d8fc1a297f2b25a1a27c7cf8e5ebff3d764
SHA51211c1d2166140f641250c8190f677df3a137778606f68cffa7354a13fbbe7ebcb34fa799d2dc78d08432a8fb9d9259fbf872197e961d32ddc046aa6ba35aa02c3
-
Filesize
278KB
MD5f84d1bc60890aa2178c02828deeb38b7
SHA1aa83705876f9a252eb34231b738f9f46a24a45db
SHA256d82215e69b7933fc31161538b73f4d8fc1a297f2b25a1a27c7cf8e5ebff3d764
SHA51211c1d2166140f641250c8190f677df3a137778606f68cffa7354a13fbbe7ebcb34fa799d2dc78d08432a8fb9d9259fbf872197e961d32ddc046aa6ba35aa02c3
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f