Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
33s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20/10/2022, 17:16
Static task
static1
Behavioral task
behavioral1
Sample
ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe
Resource
win10v2004-20220812-en
General
-
Target
ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe
-
Size
21KB
-
MD5
a008fed1202090617be74e3c5b871690
-
SHA1
7cd8b1f860c6fc53ca9ab73b38e8b384f56e93f4
-
SHA256
ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c
-
SHA512
48fb986528526293bf2892200707cd393dbe8972546fec05dc3456cfdacadda05cb31a858a58725ae143a0fcef4e2f319197b2a811bbeed28f669f95c373a68f
-
SSDEEP
384:hWw3e7zpf6n0+7RjiyGS0x3oJPwh4EiUJanzK7u+GmK:Je7zpe0kRwS0z4EvE27qd
Malware Config
Signatures
-
Drops file in Drivers directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\rgbzpi.sys ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe File opened for modification C:\Windows\SysWOW64\drivers\rgbzpi.sys ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe File created C:\Windows\SysWOW64\drivers\ynbypp.sys ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe File opened for modification C:\Windows\SysWOW64\drivers\ynbypp.sys ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe -
Sets service image path in registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\rgbzpi\ImagePath = "system32\\drivers\\rgbzpi.sys" ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ynbypp\ImagePath = "system32\\drivers\\ynbypp.sys" ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe -
Loads dropped DLL 1 IoCs
pid Process 1272 Rundll32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ynbypp.dll ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe File created C:\Windows\SysWOW64\ynbypp.dll ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 1272 Rundll32.exe 1272 Rundll32.exe 1272 Rundll32.exe 1272 Rundll32.exe 1272 Rundll32.exe 1272 Rundll32.exe 1272 Rundll32.exe 1272 Rundll32.exe 1272 Rundll32.exe 1272 Rundll32.exe 1272 Rundll32.exe 1272 Rundll32.exe 1272 Rundll32.exe 1272 Rundll32.exe 1272 Rundll32.exe 1272 Rundll32.exe 1272 Rundll32.exe 1272 Rundll32.exe 1272 Rundll32.exe 1272 Rundll32.exe 1272 Rundll32.exe 1272 Rundll32.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 460 Process not Found 460 Process not Found -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1348 wrote to memory of 1272 1348 ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe 26 PID 1348 wrote to memory of 1272 1348 ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe 26 PID 1348 wrote to memory of 1272 1348 ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe 26 PID 1348 wrote to memory of 1272 1348 ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe 26 PID 1348 wrote to memory of 1272 1348 ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe 26 PID 1348 wrote to memory of 1272 1348 ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe 26 PID 1348 wrote to memory of 1272 1348 ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe 26
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe"C:\Users\Admin\AppData\Local\Temp\ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\Rundll32.exeC:\Windows\system32\Rundll32.exe "C:\Windows\system32\ynbypp",DllUnregisterServer2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1272
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD50118cd2898ce45335479b51e23cdd76c
SHA1dfe9bcc062bcad4c3d22a83f4a39d6541f4bb110
SHA256d35ca075d341bb8cbc3e6dd8369bf809e54b79fbb28dd5e14999e691b6e27cbb
SHA512984884a78279ec11b646c445be8f71ff7e6343525dd16a935feafec66b8b97fd1faeecbd3312e6bd2be1234bc8bf6bf971a625c91e5534f6fa52c2aa981761ce
-
Filesize
10KB
MD50118cd2898ce45335479b51e23cdd76c
SHA1dfe9bcc062bcad4c3d22a83f4a39d6541f4bb110
SHA256d35ca075d341bb8cbc3e6dd8369bf809e54b79fbb28dd5e14999e691b6e27cbb
SHA512984884a78279ec11b646c445be8f71ff7e6343525dd16a935feafec66b8b97fd1faeecbd3312e6bd2be1234bc8bf6bf971a625c91e5534f6fa52c2aa981761ce