Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
90s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2022, 18:49
Static task
static1
Behavioral task
behavioral1
Sample
edfdbb51b924bc503979764a107a6b21.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
edfdbb51b924bc503979764a107a6b21.exe
Resource
win10v2004-20220901-en
General
-
Target
edfdbb51b924bc503979764a107a6b21.exe
-
Size
1.3MB
-
MD5
edfdbb51b924bc503979764a107a6b21
-
SHA1
d5aee7e8fa1c8409df3f8680bd0838e340b02919
-
SHA256
299f163bfa323164ca2db712eb788d8b71f7c1b7197aed20e23409368f5d9eed
-
SHA512
0f6a429fe18337890e8445e43bc826c428af256d2691a72701a4a8e4f943943d25b2dcc3ed36a3fd10ffcc8f1609dd1fec3045527c9ee6d118138ec1386aee4d
-
SSDEEP
24576:KWkI3RbidB+WwCUENepvtCKxGqSMntHnaoyKmQrLL/7hZSqpzyn1IvQqFRM:KZXOWw3XpvcahRnbuQnL/CqpG13ORM
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 9 1236 rundll32.exe 10 1236 rundll32.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 384 set thread context of 2664 384 edfdbb51b924bc503979764a107a6b21.exe 81 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 624 384 WerFault.exe 79 -
Checks processor information in registry 2 TTPs 19 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor edfdbb51b924bc503979764a107a6b21.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 edfdbb51b924bc503979764a107a6b21.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString edfdbb51b924bc503979764a107a6b21.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 edfdbb51b924bc503979764a107a6b21.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz edfdbb51b924bc503979764a107a6b21.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status edfdbb51b924bc503979764a107a6b21.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 edfdbb51b924bc503979764a107a6b21.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 edfdbb51b924bc503979764a107a6b21.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status edfdbb51b924bc503979764a107a6b21.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data edfdbb51b924bc503979764a107a6b21.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz edfdbb51b924bc503979764a107a6b21.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet edfdbb51b924bc503979764a107a6b21.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 edfdbb51b924bc503979764a107a6b21.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information edfdbb51b924bc503979764a107a6b21.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 edfdbb51b924bc503979764a107a6b21.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier edfdbb51b924bc503979764a107a6b21.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet edfdbb51b924bc503979764a107a6b21.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier edfdbb51b924bc503979764a107a6b21.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor edfdbb51b924bc503979764a107a6b21.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TypedURLs rundll32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings rundll32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2664 rundll32.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 384 wrote to memory of 1236 384 edfdbb51b924bc503979764a107a6b21.exe 80 PID 384 wrote to memory of 1236 384 edfdbb51b924bc503979764a107a6b21.exe 80 PID 384 wrote to memory of 1236 384 edfdbb51b924bc503979764a107a6b21.exe 80 PID 384 wrote to memory of 1236 384 edfdbb51b924bc503979764a107a6b21.exe 80 PID 384 wrote to memory of 1236 384 edfdbb51b924bc503979764a107a6b21.exe 80 PID 384 wrote to memory of 1236 384 edfdbb51b924bc503979764a107a6b21.exe 80 PID 384 wrote to memory of 1236 384 edfdbb51b924bc503979764a107a6b21.exe 80 PID 384 wrote to memory of 1236 384 edfdbb51b924bc503979764a107a6b21.exe 80 PID 384 wrote to memory of 1236 384 edfdbb51b924bc503979764a107a6b21.exe 80 PID 384 wrote to memory of 1236 384 edfdbb51b924bc503979764a107a6b21.exe 80 PID 384 wrote to memory of 1236 384 edfdbb51b924bc503979764a107a6b21.exe 80 PID 384 wrote to memory of 1236 384 edfdbb51b924bc503979764a107a6b21.exe 80 PID 384 wrote to memory of 1236 384 edfdbb51b924bc503979764a107a6b21.exe 80 PID 384 wrote to memory of 1236 384 edfdbb51b924bc503979764a107a6b21.exe 80 PID 384 wrote to memory of 1236 384 edfdbb51b924bc503979764a107a6b21.exe 80 PID 384 wrote to memory of 1236 384 edfdbb51b924bc503979764a107a6b21.exe 80 PID 384 wrote to memory of 1236 384 edfdbb51b924bc503979764a107a6b21.exe 80 PID 384 wrote to memory of 1236 384 edfdbb51b924bc503979764a107a6b21.exe 80 PID 384 wrote to memory of 1236 384 edfdbb51b924bc503979764a107a6b21.exe 80 PID 384 wrote to memory of 1236 384 edfdbb51b924bc503979764a107a6b21.exe 80 PID 384 wrote to memory of 2664 384 edfdbb51b924bc503979764a107a6b21.exe 81 PID 384 wrote to memory of 2664 384 edfdbb51b924bc503979764a107a6b21.exe 81 PID 384 wrote to memory of 2664 384 edfdbb51b924bc503979764a107a6b21.exe 81 PID 384 wrote to memory of 2664 384 edfdbb51b924bc503979764a107a6b21.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\edfdbb51b924bc503979764a107a6b21.exe"C:\Users\Admin\AppData\Local\Temp\edfdbb51b924bc503979764a107a6b21.exe"1⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Blocklisted process makes network request
PID:1236
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2664
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 10602⤵
- Program crash
PID:624
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 384 -ip 3841⤵PID:5032
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.5MB
MD5a7d875022bb5e3a34d034b947003d1b3
SHA15905ca93fea101ce80e5bf8925eb2a7eec1e333d
SHA256bcdf4c540c4289f81c98448d0a4482a96522fb767ab6015e76288afce148226a
SHA512f2b78a100cf0fa84909629b892e548d7ef9797621623a96aa75f15241d7350eecca117c3793056c30dc317ade8ecc0023c2b875516d9c25ac9bb0d880bb3149a