Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29/10/2022, 00:40
Static task
static1
Behavioral task
behavioral1
Sample
5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e.exe
Resource
win10v2004-20220812-en
General
-
Target
5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e.exe
-
Size
122KB
-
MD5
0660c7107a521ef3467678bf1417a860
-
SHA1
4c59ff3c87b06ab283a04be9ea48d872dd0fd229
-
SHA256
5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e
-
SHA512
3ecb34b1d72b7b17b57bdd0deecaec9111ea7698acb866a16b4dc1f5246298acab0e06f4eb3c05cf79e153f2de049edc56b2abb0dc3f35b8ef2f1fb5b983b7c3
-
SSDEEP
3072:bS8BCfoDaXJNMhz6mZixAc39tFOtUa9fwHPTQEXt5FeUy+huC:bPB6Eh+rAU8tUaNw7Qg5sl+YC
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1892 NvdUpd.exe 1824 NvdUpd.exe -
Loads dropped DLL 1 IoCs
pid Process 4392 5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run 5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvUpdSrv = "C:\\Users\\Admin\\AppData\\Local\\NVIDIA Corporation\\Updates\\NvdUpd.exe" 5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1892 set thread context of 1824 1892 NvdUpd.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1892 NvdUpd.exe 1892 NvdUpd.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1892 NvdUpd.exe 1892 NvdUpd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4392 wrote to memory of 1892 4392 5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e.exe 83 PID 4392 wrote to memory of 1892 4392 5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e.exe 83 PID 4392 wrote to memory of 1892 4392 5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e.exe 83 PID 1892 wrote to memory of 1824 1892 NvdUpd.exe 84 PID 1892 wrote to memory of 1824 1892 NvdUpd.exe 84 PID 1892 wrote to memory of 1824 1892 NvdUpd.exe 84 PID 1892 wrote to memory of 1824 1892 NvdUpd.exe 84 PID 1892 wrote to memory of 1824 1892 NvdUpd.exe 84 PID 1892 wrote to memory of 1824 1892 NvdUpd.exe 84 PID 1892 wrote to memory of 1824 1892 NvdUpd.exe 84 PID 1892 wrote to memory of 1824 1892 NvdUpd.exe 84 PID 1892 wrote to memory of 1824 1892 NvdUpd.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e.exe"C:\Users\Admin\AppData\Local\Temp\5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"3⤵
- Executes dropped EXE
PID:1824
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
126KB
MD5518ed52dfc1f7a3d6079b00148b7b566
SHA185d18da08a71673321fc9f3ffb029351adffd177
SHA256ed2de07745124c6ee21380c482452e34982d28b54886f97d34f6210ad4bf0dc5
SHA512a2c60976411f2603324b6493dc9cbbcdfcb891587a8f81d306d4bc6387efa3844e1cd0c8875216f3baa5482476714176c13987aa974fff14906f2c2a2d8a6e76
-
Filesize
126KB
MD5518ed52dfc1f7a3d6079b00148b7b566
SHA185d18da08a71673321fc9f3ffb029351adffd177
SHA256ed2de07745124c6ee21380c482452e34982d28b54886f97d34f6210ad4bf0dc5
SHA512a2c60976411f2603324b6493dc9cbbcdfcb891587a8f81d306d4bc6387efa3844e1cd0c8875216f3baa5482476714176c13987aa974fff14906f2c2a2d8a6e76
-
Filesize
126KB
MD5518ed52dfc1f7a3d6079b00148b7b566
SHA185d18da08a71673321fc9f3ffb029351adffd177
SHA256ed2de07745124c6ee21380c482452e34982d28b54886f97d34f6210ad4bf0dc5
SHA512a2c60976411f2603324b6493dc9cbbcdfcb891587a8f81d306d4bc6387efa3844e1cd0c8875216f3baa5482476714176c13987aa974fff14906f2c2a2d8a6e76
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f