Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2022, 01:59
Static task
static1
Behavioral task
behavioral1
Sample
d06b96a47e0ac2ea2772d348216a4d79be24e1a5d81663ba4074a1430fae10f4.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d06b96a47e0ac2ea2772d348216a4d79be24e1a5d81663ba4074a1430fae10f4.exe
Resource
win10v2004-20220901-en
General
-
Target
d06b96a47e0ac2ea2772d348216a4d79be24e1a5d81663ba4074a1430fae10f4.exe
-
Size
109KB
-
MD5
0e2e43cb67f02561f3436a01137912c0
-
SHA1
0a3545e4db7e3f007f8cfc22c233d567cb5afc20
-
SHA256
d06b96a47e0ac2ea2772d348216a4d79be24e1a5d81663ba4074a1430fae10f4
-
SHA512
98bf0aa64149807401d1e8d4d9b2abfea0ca0531b75506c8e738509b4e63202d1918e0959582b0623e54a1a44fa24c14889c6e6d48e41679f2824d1d56a10c93
-
SSDEEP
3072:bS8BCfoDaXJNMFlh2sBytr9OMxIfvQ+Y1ua0:bPB6EFP2qIE1nug/
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1380 NvdUpd.exe 4024 NvdUpd.exe -
Loads dropped DLL 1 IoCs
pid Process 848 d06b96a47e0ac2ea2772d348216a4d79be24e1a5d81663ba4074a1430fae10f4.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run d06b96a47e0ac2ea2772d348216a4d79be24e1a5d81663ba4074a1430fae10f4.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvUpdSrv = "C:\\Users\\Admin\\AppData\\Local\\NVIDIA Corporation\\Updates\\NvdUpd.exe" d06b96a47e0ac2ea2772d348216a4d79be24e1a5d81663ba4074a1430fae10f4.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1380 set thread context of 4024 1380 NvdUpd.exe 83 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1380 NvdUpd.exe 1380 NvdUpd.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1380 NvdUpd.exe 1380 NvdUpd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 848 wrote to memory of 1380 848 d06b96a47e0ac2ea2772d348216a4d79be24e1a5d81663ba4074a1430fae10f4.exe 82 PID 848 wrote to memory of 1380 848 d06b96a47e0ac2ea2772d348216a4d79be24e1a5d81663ba4074a1430fae10f4.exe 82 PID 848 wrote to memory of 1380 848 d06b96a47e0ac2ea2772d348216a4d79be24e1a5d81663ba4074a1430fae10f4.exe 82 PID 1380 wrote to memory of 4024 1380 NvdUpd.exe 83 PID 1380 wrote to memory of 4024 1380 NvdUpd.exe 83 PID 1380 wrote to memory of 4024 1380 NvdUpd.exe 83 PID 1380 wrote to memory of 4024 1380 NvdUpd.exe 83 PID 1380 wrote to memory of 4024 1380 NvdUpd.exe 83 PID 1380 wrote to memory of 4024 1380 NvdUpd.exe 83 PID 1380 wrote to memory of 4024 1380 NvdUpd.exe 83 PID 1380 wrote to memory of 4024 1380 NvdUpd.exe 83 PID 1380 wrote to memory of 4024 1380 NvdUpd.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\d06b96a47e0ac2ea2772d348216a4d79be24e1a5d81663ba4074a1430fae10f4.exe"C:\Users\Admin\AppData\Local\Temp\d06b96a47e0ac2ea2772d348216a4d79be24e1a5d81663ba4074a1430fae10f4.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"3⤵
- Executes dropped EXE
PID:4024
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
85KB
MD5a0d65f5874d3371bf7f5dab210d81cea
SHA19513320628ce06d3a5ad37288341141af7fda8b1
SHA25615159eb54d43e03116423d9d4f286dacf0d4af544e01dd8f2ebc11214e5f6758
SHA512e5a033f0734eaabfefa4654ce0f55a12be36df260f7c5283d102e20b165fa36937ef175c3e96e3f929557163bbd46101eb28d5b2235ccb0cdb88de997bce5ea8
-
Filesize
85KB
MD5a0d65f5874d3371bf7f5dab210d81cea
SHA19513320628ce06d3a5ad37288341141af7fda8b1
SHA25615159eb54d43e03116423d9d4f286dacf0d4af544e01dd8f2ebc11214e5f6758
SHA512e5a033f0734eaabfefa4654ce0f55a12be36df260f7c5283d102e20b165fa36937ef175c3e96e3f929557163bbd46101eb28d5b2235ccb0cdb88de997bce5ea8
-
Filesize
85KB
MD5a0d65f5874d3371bf7f5dab210d81cea
SHA19513320628ce06d3a5ad37288341141af7fda8b1
SHA25615159eb54d43e03116423d9d4f286dacf0d4af544e01dd8f2ebc11214e5f6758
SHA512e5a033f0734eaabfefa4654ce0f55a12be36df260f7c5283d102e20b165fa36937ef175c3e96e3f929557163bbd46101eb28d5b2235ccb0cdb88de997bce5ea8
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f