Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
90s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03/02/2023, 16:39
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220901-en
General
-
Target
file.exe
-
Size
6.2MB
-
MD5
1a904107cb5b50c41a9a16912387e3c1
-
SHA1
52ae836393e634161420fd863c874383424a7554
-
SHA256
d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb
-
SHA512
cd6db4c6adec8704d82a0efc7800e5256d556189ae8abb4402d7a9dd224dc14558dede4f752ba2fd85cdc60e68de5b8864cfdd04461f8520c30735839233a11d
-
SSDEEP
98304:6zp35bfcuES0LuX2kBGQnfSJScysP9NPyA8KDbEo9ZLHPjUdLH68GuvT84:61Nf0LuXXGA7FA9NPyAFcC9ea8B3
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 6 5016 rundll32.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1712 set thread context of 5016 1712 file.exe 82 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 43 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 file.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor file.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier file.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status file.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 file.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 file.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz file.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz file.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5016 rundll32.exe 5016 rundll32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 5016 rundll32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1712 wrote to memory of 5016 1712 file.exe 82 PID 1712 wrote to memory of 5016 1712 file.exe 82 PID 1712 wrote to memory of 5016 1712 file.exe 82 PID 1712 wrote to memory of 5016 1712 file.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:5016
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
85KB
MD5a5e8325a46bc84636d7db83520e57167
SHA14fd6f878b368fc76782805aec08d08e831357769
SHA25643307d12c1ff7e50bec7e011cc421d07fa2b80c1f62ce25e1c3725cc7758f089
SHA512507a692b67de06cc46a7019cd51d2e2b50419a2671d6125f890216f705e6f36424d7ab6b157d3b4bdf40103b1683169329d2d85813611ca179373fa7a1e3875d
-
Filesize
23KB
MD52e0a52964e4f43a9830f01775bcb061b
SHA1deedc2124380dcc834798466b7ae8ca986aba82f
SHA2563884df97009ac7e97143743660ed8e010d5f77edcf611bf85276e876fc70754b
SHA51256c28175bfeb1adfa70761dbf3d46f60b3545de1dd879b346658a2701a173c5fd1959dcb6ecb931f7589f8178fa46d026da0edcfef0471f0fc9d65df7bc6ea44
-
Filesize
182KB
MD5fc884470343819d1ce5d38d0d731c141
SHA13665ddbe5619e9027f0ea87dd58a50177decd9cc
SHA256bbaa20497843b541ff16df5d313d0ae09a07753533de70b364672eff60d919ca
SHA512fe7a3a1410f83b11023a74b6cbb0b9512ced6111d5a5f33f6247db315901a7d62b9e9e63ea27be44b130dbab0a38fb2f08bb4efd22a509b03593de64f8ff60ae
-
Filesize
25KB
MD59d10f854940df634ca840710b5bab312
SHA14fbced512f60578a918a6a099b1d898586204add
SHA256d29a41b75f239f44583c1bba3120b2adaea44e4a3e22a75609590ce213d1690c
SHA51219a28b906bc1353def4dc3012c282ad313edcd8279931228bd7d5e124872c0b2b6baf033302ae3ba6fb4a84caf0d581856b79405117e9605838f163ad1ec9381
-
Filesize
4KB
MD5b2c73bb7e8ac5639eec536a1cee5abd5
SHA127ac80503aa3827fef879b5ae4e8546da1285f3d
SHA256c7ac663de6c20c909c93ed1fa786259400c56bee376191eeb3c1534ea66a2357
SHA51257c6314370840a96847d16f26a1f60b1e57647b67692f8deab92e4120b657a3eac7d001cdca0467c32cefe74a0450f1076d7eb484712a4e45edc0d0bd3db3de8
-
Filesize
3.5MB
MD5986d821f783e659b975b2a59585b6235
SHA17a11d6ea48d35573772d248553ad831bd74e77ba
SHA256311f57e791a79007b5cedbd9f520986ea3e2b6b05112d6eac5d113d9a2c9eb60
SHA512580ba23d1bda3066120fcc8b37c845affe8a83f4bf6af56f94abd8b368c4087c790cad2d3f38233040677abb1523ba48ae2f75eb50401c9877612ecde51d3ba6
-
Filesize
1KB
MD5e949db8f55991884a153aaf3888575bc
SHA1e493e81e97c9589339046d5418a5dcf0fab1e660
SHA25672322baaa14f01ab12ba14b00d66e2b2178f3f3d249bb0542a0f49fc59de808c
SHA512368c7c3f68d8c15ded551ed9b87bc78b79bc0aed7fa3d7ef4006a130c5cf69caec0e5f29962882a5fcaed43580adb2da574cc2c9b178b96d64147b8ecf6ba97c
-
Filesize
414KB
MD51665e1695efb8cff7253aa22d3b8d1af
SHA1bb5cfec3bfdba7957199595d25dc5871ba1e55d9
SHA25629ae5501fbe82cf6ca45bc724e22db29fe115d5ee4ff67c1fac3055eaec04816
SHA512c9abb0bc028617a4152a27ce89a1b92f973d23fcc7cc6d2893c4a714f65ffd36255c9874c5bfacad4d514e7b67ecf5c37dd9cf017a25584c925c9bc490d0e9aa
-
Filesize
11KB
MD530641abfdbbbfae51f702a1c8c8ddbef
SHA1ffcb0ed2708904f75756cc834fe004a0070994d2
SHA256095ff071270b4125d9b1260caaa26c27d2045fd10245691b72a9132213e74f15
SHA5128edb8eee4e0112d6140ccc7dcbd7cb4acd8c6ffa1625bf537605e144a516ea9596d5a864b91b34ede51f42c0ad6abd1c41557d15a64912502ecea67b8e8d42c3
-
Filesize
123KB
MD54beb06c816dbc684a80dcee9ab488539
SHA1bb62b781d8e6e6668216d15973303df4af9debe6
SHA256dc169bef642a9c41ebb1747c89f1d12f0fa8eb37821345a24361cb47550a7fb5
SHA51279c6bf53d25478edaf8998a52846171c786abaff6a2ce238baadcdad659fd0da375e175fe72a3cfd4bcfab5df0f1d9b678a7e405dce3b4354c8537ebe85bd740
-
Filesize
62KB
MD52e8f497235815362c3d2fe5f4d56010c
SHA1c6c9c84fbdb7b85261ba818adbc18cab8158d692
SHA2564420111c2dcd4928407eb5dec0c7270d382375392635959c816faf8b50cb95e3
SHA512046993e0cbc526bda57a098cbe3902cc1ee81f90540fadd9004a2ac800b6f37703222986de994a07c175555c51cb641e2f71e9c560b6f174fe039b8dc1217133
-
Filesize
62KB
MD52e8f497235815362c3d2fe5f4d56010c
SHA1c6c9c84fbdb7b85261ba818adbc18cab8158d692
SHA2564420111c2dcd4928407eb5dec0c7270d382375392635959c816faf8b50cb95e3
SHA512046993e0cbc526bda57a098cbe3902cc1ee81f90540fadd9004a2ac800b6f37703222986de994a07c175555c51cb641e2f71e9c560b6f174fe039b8dc1217133
-
Filesize
697B
MD5fe4f6a24e5ab9d2d90051411307cf3a8
SHA1a65b12b4d8e225eda13862b7ed6f30f56abb9569
SHA2565ffbef5b65d7969e912ccdad478d225a1927480b6da0f6fa30156ca5eddb7ef5
SHA5126e6159b5b13f21a2c13cffd92496d384aad7871fc2af079870b12068f9b646a785841b486c94993076cd25638ec8a0abb4aee5451d9602f05469e220f0747c0d