Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    90s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2022, 14:55

General

  • Target

    0b7e9ce3f842b4f730c9531f6bddddfd3859245fc6eb8758ec9478228fb189d8.exe

  • Size

    512KB

  • MD5

    0de4fa66b6ecea607fc63d9773749540

  • SHA1

    b676b8e1a63ce54aace4f8e50c4cc2660abc0712

  • SHA256

    0b7e9ce3f842b4f730c9531f6bddddfd3859245fc6eb8758ec9478228fb189d8

  • SHA512

    ff47fa65ee9e538fbfe7de1b9c7838340f7e04a6dcd96ba65c78ffc5a6563daa85ca2108379d29977fea2320ad560d8bd908814392eb562f52b80ead6fc6a36b

  • SSDEEP

    12288:Ns4hG8f1PsYslobcRrgS880i50MRMc4UxYoUrO3LlS7uj5C:Ns4hjC9CClCMRoUKteLlVVC

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b7e9ce3f842b4f730c9531f6bddddfd3859245fc6eb8758ec9478228fb189d8.exe
    "C:\Users\Admin\AppData\Local\Temp\0b7e9ce3f842b4f730c9531f6bddddfd3859245fc6eb8758ec9478228fb189d8.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4836
    • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1968

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsxB4FE.tmp\spext.dll

    Filesize

    746KB

    MD5

    71be8be25eee408304e59d4b69d09ac2

    SHA1

    c608bcc3ad762c5b32061f07266e95701ceb9325

    SHA256

    fea5ad0d5ec9dc84e593eeb29f0c2bbeaf73b38e7c9ce32c2bbc021e59b1ff12

    SHA512

    f8960478d32b006e96df7fbb0d3791b28f56554184987cafd55ab3d44d71ed9f01d5b6873048ad61803ecf3b2e52a92d9f1515f30734285328af09f25e87eb50

  • C:\Users\Admin\AppData\Local\Temp\nsxB4FE.tmp\spext.dll

    Filesize

    746KB

    MD5

    71be8be25eee408304e59d4b69d09ac2

    SHA1

    c608bcc3ad762c5b32061f07266e95701ceb9325

    SHA256

    fea5ad0d5ec9dc84e593eeb29f0c2bbeaf73b38e7c9ce32c2bbc021e59b1ff12

    SHA512

    f8960478d32b006e96df7fbb0d3791b28f56554184987cafd55ab3d44d71ed9f01d5b6873048ad61803ecf3b2e52a92d9f1515f30734285328af09f25e87eb50

  • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

    Filesize

    512KB

    MD5

    0de4fa66b6ecea607fc63d9773749540

    SHA1

    b676b8e1a63ce54aace4f8e50c4cc2660abc0712

    SHA256

    0b7e9ce3f842b4f730c9531f6bddddfd3859245fc6eb8758ec9478228fb189d8

    SHA512

    ff47fa65ee9e538fbfe7de1b9c7838340f7e04a6dcd96ba65c78ffc5a6563daa85ca2108379d29977fea2320ad560d8bd908814392eb562f52b80ead6fc6a36b

  • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

    Filesize

    512KB

    MD5

    0de4fa66b6ecea607fc63d9773749540

    SHA1

    b676b8e1a63ce54aace4f8e50c4cc2660abc0712

    SHA256

    0b7e9ce3f842b4f730c9531f6bddddfd3859245fc6eb8758ec9478228fb189d8

    SHA512

    ff47fa65ee9e538fbfe7de1b9c7838340f7e04a6dcd96ba65c78ffc5a6563daa85ca2108379d29977fea2320ad560d8bd908814392eb562f52b80ead6fc6a36b