Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    90s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/10/2022, 10:01

General

  • Target

    SOLICITUD DE OFERTA.exe

  • Size

    624KB

  • MD5

    b47e1ab501e4a96100632e46f4506468

  • SHA1

    5b3a1dd3ed22be9caa31a1a3106b9cb8b37158c0

  • SHA256

    2e644ef57ac147bc5283cc5192792a3a396c68f62c8c90ce870e0eea276430ea

  • SHA512

    84a133d0afe249cdb472f594ada771e13218f2a0945e26cd811efd2b35e725648ffda0ec63eefd7e60cca8a1202da7a4c68ae5946abcbd6e39172ce8dcfe7f1e

  • SSDEEP

    12288:/eS2Cp0JwEk/+d9a5VQircJlWG+jbJJ7E18gWo7Or:V2CnEkmdGV9rcJD+jo8r

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SOLICITUD DE OFERTA.exe
    "C:\Users\Admin\AppData\Local\Temp\SOLICITUD DE OFERTA.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4060
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c echo C:\Users\Admin\Skillemnt\Redepreciated.Luf
      2⤵
        PID:4512

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\nsdA994.tmp\System.dll

      Filesize

      12KB

      MD5

      8cf2ac271d7679b1d68eefc1ae0c5618

      SHA1

      7cc1caaa747ee16dc894a600a4256f64fa65a9b8

      SHA256

      6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

      SHA512

      ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

    • C:\Users\Admin\AppData\Local\Temp\nsdA994.tmp\nsExec.dll

      Filesize

      7KB

      MD5

      f27689c513e7d12c7c974d5f8ef710d6

      SHA1

      e305f2a2898d765a64c82c449dfb528665b4a892

      SHA256

      1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

      SHA512

      734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

    • memory/4060-138-0x0000000002980000-0x0000000002A81000-memory.dmp

      Filesize

      1.0MB

    • memory/4060-139-0x0000000002980000-0x0000000002A81000-memory.dmp

      Filesize

      1.0MB