Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    161s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2022, 15:43

General

  • Target

    ffbce5da231d0da4b9ae8293524da8c6d737ab82635e9e0ec99e939adf38d268.exe

  • Size

    206KB

  • MD5

    00896d0fabce787ef836b79030937a20

  • SHA1

    133809d80bc189c87c623c191694862b42eac214

  • SHA256

    ffbce5da231d0da4b9ae8293524da8c6d737ab82635e9e0ec99e939adf38d268

  • SHA512

    4b301755d0d9b6979decd645d298db8a5366b78a2b7a59921daefc23e2a0656d6b15d6b7340e4b7fdc7aee83f279a7bc031d0bca455362fd748cce539f2de103

  • SSDEEP

    3072:bS8BCfoDaXJNMqxvMiDu166YZQrA69RElT+vMZkjCSfCwPEIsmE3D8A+QwGCipii:bPB6EqxUHLYO4YMZgCaCFz8Gag

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ffbce5da231d0da4b9ae8293524da8c6d737ab82635e9e0ec99e939adf38d268.exe
    "C:\Users\Admin\AppData\Local\Temp\ffbce5da231d0da4b9ae8293524da8c6d737ab82635e9e0ec99e939adf38d268.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe
      "C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:960
      • C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe
        "C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"
        3⤵
        • Executes dropped EXE
        PID:2036

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

    Filesize

    278KB

    MD5

    f84d1bc60890aa2178c02828deeb38b7

    SHA1

    aa83705876f9a252eb34231b738f9f46a24a45db

    SHA256

    d82215e69b7933fc31161538b73f4d8fc1a297f2b25a1a27c7cf8e5ebff3d764

    SHA512

    11c1d2166140f641250c8190f677df3a137778606f68cffa7354a13fbbe7ebcb34fa799d2dc78d08432a8fb9d9259fbf872197e961d32ddc046aa6ba35aa02c3

  • C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

    Filesize

    278KB

    MD5

    f84d1bc60890aa2178c02828deeb38b7

    SHA1

    aa83705876f9a252eb34231b738f9f46a24a45db

    SHA256

    d82215e69b7933fc31161538b73f4d8fc1a297f2b25a1a27c7cf8e5ebff3d764

    SHA512

    11c1d2166140f641250c8190f677df3a137778606f68cffa7354a13fbbe7ebcb34fa799d2dc78d08432a8fb9d9259fbf872197e961d32ddc046aa6ba35aa02c3

  • C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

    Filesize

    278KB

    MD5

    f84d1bc60890aa2178c02828deeb38b7

    SHA1

    aa83705876f9a252eb34231b738f9f46a24a45db

    SHA256

    d82215e69b7933fc31161538b73f4d8fc1a297f2b25a1a27c7cf8e5ebff3d764

    SHA512

    11c1d2166140f641250c8190f677df3a137778606f68cffa7354a13fbbe7ebcb34fa799d2dc78d08432a8fb9d9259fbf872197e961d32ddc046aa6ba35aa02c3

  • \Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

    Filesize

    278KB

    MD5

    f84d1bc60890aa2178c02828deeb38b7

    SHA1

    aa83705876f9a252eb34231b738f9f46a24a45db

    SHA256

    d82215e69b7933fc31161538b73f4d8fc1a297f2b25a1a27c7cf8e5ebff3d764

    SHA512

    11c1d2166140f641250c8190f677df3a137778606f68cffa7354a13fbbe7ebcb34fa799d2dc78d08432a8fb9d9259fbf872197e961d32ddc046aa6ba35aa02c3

  • \Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

    Filesize

    278KB

    MD5

    f84d1bc60890aa2178c02828deeb38b7

    SHA1

    aa83705876f9a252eb34231b738f9f46a24a45db

    SHA256

    d82215e69b7933fc31161538b73f4d8fc1a297f2b25a1a27c7cf8e5ebff3d764

    SHA512

    11c1d2166140f641250c8190f677df3a137778606f68cffa7354a13fbbe7ebcb34fa799d2dc78d08432a8fb9d9259fbf872197e961d32ddc046aa6ba35aa02c3

  • \Users\Admin\AppData\Local\Temp\nsd320B.tmp\System.dll

    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

  • memory/960-65-0x00000000002C0000-0x00000000002C4000-memory.dmp

    Filesize

    16KB

  • memory/1732-54-0x0000000075771000-0x0000000075773000-memory.dmp

    Filesize

    8KB

  • memory/2036-62-0x00000000001B0000-0x00000000002AA000-memory.dmp

    Filesize

    1000KB

  • memory/2036-64-0x0000000000400000-0x00000000036C8000-memory.dmp

    Filesize

    50.8MB

  • memory/2036-66-0x0000000000400000-0x00000000036C8000-memory.dmp

    Filesize

    50.8MB

  • memory/2036-68-0x0000000000400000-0x00000000036C8000-memory.dmp

    Filesize

    50.8MB

  • memory/2036-69-0x0000000000400000-0x00000000036C8000-memory.dmp

    Filesize

    50.8MB

  • memory/2036-71-0x0000000000400000-0x00000000036C8000-memory.dmp

    Filesize

    50.8MB

  • memory/2036-75-0x0000000000400000-0x00000000036C8000-memory.dmp

    Filesize

    50.8MB

  • memory/2036-76-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

  • memory/2036-78-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB