Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    42s
  • max time network
    83s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    31/12/2022, 18:48 UTC

General

  • Target

    8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe

  • Size

    1020KB

  • MD5

    496f86f951e1dbd3c4534d51a5297668

  • SHA1

    1199c5f30f5724841905cbdb9787649d15aae3d5

  • SHA256

    8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621

  • SHA512

    382abc596081ca5d0fdea39b12afe433e446cd50f59e4abca818162d96e46465beb1cda631109083071e7c050af6bfcf867be41d02c1e2ebe5dd99f61f45d510

  • SSDEEP

    24576:es0fVWVbd8fKT0KqTAFFCa/2yDEmdvAkomBbOsn51D:es0fVWVR8fKTeU1imBbl51D

Malware Config

Signatures

  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
    "C:\Users\Admin\AppData\Local\Temp\8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1228

    Network

      No results found
    • 127.0.0.1:49168
      8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
    • 128.31.0.39:9101
      8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
      152 B
      120 B
      3
      3
    • 86.59.21.38:443
      www.e6iwkxlngprryjhunmpazej2.com
      tls
      8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
      3.1kB
      7.5kB
      13
      15
    No results found

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1684-54-0x0000000076401000-0x0000000076403000-memory.dmp

      Filesize

      8KB

    • memory/1684-56-0x0000000000400000-0x00000000005DE000-memory.dmp

      Filesize

      1.9MB

    • memory/1684-58-0x0000000002390000-0x00000000023B9000-memory.dmp

      Filesize

      164KB

    • memory/1684-59-0x0000000000400000-0x00000000005DE000-memory.dmp

      Filesize

      1.9MB

    • memory/1684-60-0x0000000000400000-0x00000000005DE000-memory.dmp

      Filesize

      1.9MB

    • memory/1684-61-0x0000000002390000-0x00000000023B9000-memory.dmp

      Filesize

      164KB

    • memory/1684-62-0x0000000000400000-0x00000000005DE000-memory.dmp

      Filesize

      1.9MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.