Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
76s -
max time network
59s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
27/11/2022, 02:00
Static task
static1
Behavioral task
behavioral1
Sample
7a108a4477a9b37e89d9be7e0d2bbec1d184b46ba0c9135fca3ee3735874d385.exe
Resource
win10-20220812-en
General
-
Target
7a108a4477a9b37e89d9be7e0d2bbec1d184b46ba0c9135fca3ee3735874d385.exe
-
Size
1.4MB
-
MD5
a9960bd86296a61632c5b1049bd0f6f0
-
SHA1
2f2d6b06b685420c1913a592cee11bf07d22e256
-
SHA256
7a108a4477a9b37e89d9be7e0d2bbec1d184b46ba0c9135fca3ee3735874d385
-
SHA512
2e740eada8fc8545ab98f11cca9e98bd7f761c678c64da5b8a081f429e50dd905fac65d22094938a95d2a0b33c5cf8981de2c9281a5b19ac77d188e9578926a4
-
SSDEEP
24576:4ry2uXzmVLTph1biXtFPHvgx59Qg5xD9JZ26YEYeDTTKFPDm8u2M:4unKhViXtFPHkfBYrevmFPDmaM
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 4376 rundll32.exe 4376 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2500 wrote to memory of 3380 2500 7a108a4477a9b37e89d9be7e0d2bbec1d184b46ba0c9135fca3ee3735874d385.exe 66 PID 2500 wrote to memory of 3380 2500 7a108a4477a9b37e89d9be7e0d2bbec1d184b46ba0c9135fca3ee3735874d385.exe 66 PID 2500 wrote to memory of 3380 2500 7a108a4477a9b37e89d9be7e0d2bbec1d184b46ba0c9135fca3ee3735874d385.exe 66 PID 3380 wrote to memory of 4376 3380 control.exe 67 PID 3380 wrote to memory of 4376 3380 control.exe 67 PID 3380 wrote to memory of 4376 3380 control.exe 67
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a108a4477a9b37e89d9be7e0d2bbec1d184b46ba0c9135fca3ee3735874d385.exe"C:\Users\Admin\AppData\Local\Temp\7a108a4477a9b37e89d9be7e0d2bbec1d184b46ba0c9135fca3ee3735874d385.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" .\_cvW7A.6F2⤵
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\_cvW7A.6F3⤵
- Loads dropped DLL
PID:4376
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD540353de0ec1019842e054683d81350c6
SHA1343197d9ca8a4d2c29cd23560f4f9978b44d0349
SHA2564903c94dc6bd9c053a96c6ca6f9e3ecbd9646c6d04ecaa2e370ac5fbc90b4195
SHA51243905ed47e0edd142216debbccb8571b50e39ded5a55966f2c329c9632cf43eb6c6f3862edf9cf89059682d683172af33babfd81eaa45eb4e888836eb4b1205f
-
Filesize
2.2MB
MD540353de0ec1019842e054683d81350c6
SHA1343197d9ca8a4d2c29cd23560f4f9978b44d0349
SHA2564903c94dc6bd9c053a96c6ca6f9e3ecbd9646c6d04ecaa2e370ac5fbc90b4195
SHA51243905ed47e0edd142216debbccb8571b50e39ded5a55966f2c329c9632cf43eb6c6f3862edf9cf89059682d683172af33babfd81eaa45eb4e888836eb4b1205f
-
Filesize
2.2MB
MD540353de0ec1019842e054683d81350c6
SHA1343197d9ca8a4d2c29cd23560f4f9978b44d0349
SHA2564903c94dc6bd9c053a96c6ca6f9e3ecbd9646c6d04ecaa2e370ac5fbc90b4195
SHA51243905ed47e0edd142216debbccb8571b50e39ded5a55966f2c329c9632cf43eb6c6f3862edf9cf89059682d683172af33babfd81eaa45eb4e888836eb4b1205f