Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

b5090d1c70...71.exe

windows7-x64

7

b5090d1c70...71.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    169s
  • max time network
    191s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2022, 14:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b5090d1c70eda85c897aa9b9d63d5b3338f63cf87e506cf6dbec66111bf13f71.exe

  • Size

    73KB

  • MD5

    37fbc253f4dd5e17bed720ab49be8ada

  • SHA1

    20b9f7a60d2e978e0258a233a37295ae90ad32a1

  • SHA256

    b5090d1c70eda85c897aa9b9d63d5b3338f63cf87e506cf6dbec66111bf13f71

  • SHA512

    b43d046a5efc72770ed3f05798cc55f51bad0bc69178109918aff6f7d22fef55e19ed1481ad27f0d786d8b36b076d5b0b8267f88f28d7ba8828d71397a4b31f5

  • SSDEEP

    1536:ePR/tH5CdwfwZgRG3sV7llkrvS4TmQfYMz/+nVRvqlW:ePR/z1YZgRGIlkrFBfYMz/+eW

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b5090d1c70eda85c897aa9b9d63d5b3338f63cf87e506cf6dbec66111bf13f71.exe
    "C:\Users\Admin\AppData\Local\Temp\b5090d1c70eda85c897aa9b9d63d5b3338f63cf87e506cf6dbec66111bf13f71.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3860
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Emj..bat" > nul 2> nul
      2⤵
        PID:4796

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Emj..bat
      Filesize

      274B

      MD5

      97deb6db16fa7bf862ef395b13ed3086

      SHA1

      00f6f26b88e43d7cc523a024498ab03443a66450

      SHA256

      fd46894d5ab5fea4a71bbcb85d24f7f2438824bf32dfbb1a683880a475e26563

      SHA512

      c32d5507862ba9ce322326cfac0ad406eab86d4b16b89f59a4d9050ec9f455b48adbb224e802ef700be54bd6b8b2bc02aecd869ed7350e37b0135a8543116e02

      Download Submit

    • memory/3860-132-0x0000000000570000-0x000000000058A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3860-133-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

      Download

    • memory/3860-135-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

      Download