Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
67s -
max time network
52s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
15/10/2022, 08:34
Static task
static1
Behavioral task
behavioral1
Sample
49672e9c05504b10aecc7ff07d4b42500c9a3a94a5a5c91c1ae955e7d8612d95.exe
Resource
win10-20220812-en
General
-
Target
49672e9c05504b10aecc7ff07d4b42500c9a3a94a5a5c91c1ae955e7d8612d95.exe
-
Size
1.6MB
-
MD5
afd2636bba2c7ad94c6482d5d1a12898
-
SHA1
ccfa7daabdac6cb08586c88f191e4848d5402022
-
SHA256
49672e9c05504b10aecc7ff07d4b42500c9a3a94a5a5c91c1ae955e7d8612d95
-
SHA512
82f4c7d5f088e4afc3f96eef65264d972958d350eb3dfe9218fe73cad04e551e704cb8e39c85065790edd73684aa5a67f9f8a85d6c4517b9d747133defc5e183
-
SSDEEP
24576:b062cSEk8zNlL2BKjxevlMEUti+9RhtJnZwPybWoqq9aoegvO9SrJtwVeoB6a9it:A6Paqle9UVBtvwP0WotegS2twV35XLY
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 3452 rundll32.exe 2448 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings 49672e9c05504b10aecc7ff07d4b42500c9a3a94a5a5c91c1ae955e7d8612d95.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1680 wrote to memory of 4844 1680 49672e9c05504b10aecc7ff07d4b42500c9a3a94a5a5c91c1ae955e7d8612d95.exe 66 PID 1680 wrote to memory of 4844 1680 49672e9c05504b10aecc7ff07d4b42500c9a3a94a5a5c91c1ae955e7d8612d95.exe 66 PID 1680 wrote to memory of 4844 1680 49672e9c05504b10aecc7ff07d4b42500c9a3a94a5a5c91c1ae955e7d8612d95.exe 66 PID 4844 wrote to memory of 3452 4844 control.exe 68 PID 4844 wrote to memory of 3452 4844 control.exe 68 PID 4844 wrote to memory of 3452 4844 control.exe 68 PID 3452 wrote to memory of 448 3452 rundll32.exe 69 PID 3452 wrote to memory of 448 3452 rundll32.exe 69 PID 448 wrote to memory of 2448 448 RunDll32.exe 70 PID 448 wrote to memory of 2448 448 RunDll32.exe 70 PID 448 wrote to memory of 2448 448 RunDll32.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\49672e9c05504b10aecc7ff07d4b42500c9a3a94a5a5c91c1ae955e7d8612d95.exe"C:\Users\Admin\AppData\Local\Temp\49672e9c05504b10aecc7ff07d4b42500c9a3a94a5a5c91c1ae955e7d8612d95.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\Z20N0uPl.CPl",2⤵
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\Z20N0uPl.CPl",3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\Z20N0uPl.CPl",4⤵
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\Z20N0uPl.CPl",5⤵
- Loads dropped DLL
PID:2448
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD54a0513513c389ccd8729f701217f114b
SHA19e50e6290a50b99563749ad61447d31430240c00
SHA2565dabeb9c86c38eea1abfd5dc80c44fa2d70e5cfe7154d82baaf628a95ef38a7a
SHA51210362e354a0eecd6494d26c07a784672b4548078fed86eb4bd69e65b82d4acef80ac73096a8494ae04397894ea2f432f76779102de92f943787998a3764dda88
-
Filesize
1.6MB
MD54a0513513c389ccd8729f701217f114b
SHA19e50e6290a50b99563749ad61447d31430240c00
SHA2565dabeb9c86c38eea1abfd5dc80c44fa2d70e5cfe7154d82baaf628a95ef38a7a
SHA51210362e354a0eecd6494d26c07a784672b4548078fed86eb4bd69e65b82d4acef80ac73096a8494ae04397894ea2f432f76779102de92f943787998a3764dda88
-
Filesize
1.6MB
MD54a0513513c389ccd8729f701217f114b
SHA19e50e6290a50b99563749ad61447d31430240c00
SHA2565dabeb9c86c38eea1abfd5dc80c44fa2d70e5cfe7154d82baaf628a95ef38a7a
SHA51210362e354a0eecd6494d26c07a784672b4548078fed86eb4bd69e65b82d4acef80ac73096a8494ae04397894ea2f432f76779102de92f943787998a3764dda88