Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

dc2cd815e4...2b.exe

windows7-x64

10

dc2cd815e4...2b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    206s
  • max time network
    207s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2022, 09:16 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dc2cd815e4db618aa84ceae71a725c8d3929cd541f36997803b7884fa93ed12b.exe

  • Size

    312KB

  • MD5

    225781f7bf59c7f0bcd643a9984bdee3

  • SHA1

    034ceb777791bb3764908f8317ff29464b1e0701

  • SHA256

    dc2cd815e4db618aa84ceae71a725c8d3929cd541f36997803b7884fa93ed12b

  • SHA512

    4e4e40940277b039d4fe0fdfbaa4388b9ffea7272a5f781308a29a6d5cdfba5034b7fab6b4e4c6928a33a75f49c4fbb52e093a2a0d83f0eb36cff42dd989e66b

  • SSDEEP

    6144:Bwc+PaJXYd9hxr51WxWHdzvprYZPpYUQ3m1zBdP7F1:/XYd9hxrrYWhvpEZPKr3m1z3Z1

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 51 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc2cd815e4db618aa84ceae71a725c8d3929cd541f36997803b7884fa93ed12b.exe
    "C:\Users\Admin\AppData\Local\Temp\dc2cd815e4db618aa84ceae71a725c8d3929cd541f36997803b7884fa93ed12b.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4688
    • C:\Users\Admin\rnmay.exe
      "C:\Users\Admin\rnmay.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4832

Network

  • flag-unknown
    DNS
    176.122.125.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    176.122.125.40.in-addr.arpa
    IN PTR
    Response
  • flag-unknown
    DNS
    ns1.player1352.com
    dc2cd815e4db618aa84ceae71a725c8d3929cd541f36997803b7884fa93ed12b.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.player1352.com
    IN A
    Response
  • flag-unknown
    DNS
    ns1.player1352.net
    dc2cd815e4db618aa84ceae71a725c8d3929cd541f36997803b7884fa93ed12b.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.player1352.net
    IN A
    Response
    ns1.player1352.net
    IN A
    35.205.61.67
  • 8.238.21.126:80
    322 B
     7
  • 8.238.21.126:80
    260 B
     5
  • 20.190.159.71:443
    260 B
     5
  • 104.46.162.226:443
    322 B
     7
  • 104.80.225.205:443
    322 B
     7
  • 20.190.159.64:443
    260 B
     5
  • 8.238.21.126:80
    322 B
     7
  • 8.238.21.126:80
    322 B
     7
  • 8.238.21.126:80
    322 B
     7
  • 35.205.61.67:8003
    ns1.player1352.net
    dc2cd815e4db618aa84ceae71a725c8d3929cd541f36997803b7884fa93ed12b.exe
    260 B
     5
  • 8.247.211.126:80
    46 B
     40 B
     1
    1
  • 8.8.8.8:53
    176.122.125.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    176.122.125.40.in-addr.arpa

  • 8.8.8.8:53
    ns1.player1352.com
    dns
    dc2cd815e4db618aa84ceae71a725c8d3929cd541f36997803b7884fa93ed12b.exe
    64 B
     137 B
     1
    1

    DNS Request

    ns1.player1352.com

  • 8.8.8.8:53
    ns1.player1352.net
    dns
    dc2cd815e4db618aa84ceae71a725c8d3929cd541f36997803b7884fa93ed12b.exe
    64 B
     80 B
     1
    1

    DNS Request

    ns1.player1352.net

    DNS Response

    35.205.61.67

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\rnmay.exe
    Filesize

    312KB

    MD5

    d4e9a91b95c7febfae3680c5a8fac1a7

    SHA1

    07463b660ab42a890f97429d3463f90339631bad

    SHA256

    3b70d68c17d31270cad27d8a19ba01f41a24c3d08ab682a63f48c6510e4ab2a0

    SHA512

    79008217f869aa5f0304bd2036a756cd95599d6be15f1d8d313168d2550ffc47ad49ecea520fb19236d23df8a59124b4765548890d8aa4c3cc7d143a35223176

    Download Submit

  • C:\Users\Admin\rnmay.exe
    Filesize

    312KB

    MD5

    d4e9a91b95c7febfae3680c5a8fac1a7

    SHA1

    07463b660ab42a890f97429d3463f90339631bad

    SHA256

    3b70d68c17d31270cad27d8a19ba01f41a24c3d08ab682a63f48c6510e4ab2a0

    SHA512

    79008217f869aa5f0304bd2036a756cd95599d6be15f1d8d313168d2550ffc47ad49ecea520fb19236d23df8a59124b4765548890d8aa4c3cc7d143a35223176

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.