Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
55s -
max time network
65s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
05/03/2023, 15:05
Static task
static1
Behavioral task
behavioral1
Sample
b9639292da78d70e67c97ce1bffe2167c0245a7a03746907826f7077ba032e1e.exe
Resource
win10-20230220-en
General
-
Target
b9639292da78d70e67c97ce1bffe2167c0245a7a03746907826f7077ba032e1e.exe
-
Size
1.5MB
-
MD5
2ff4a8ce1e71118052937c2c673b6aaf
-
SHA1
38c33661632b974003285edc65df1577313999f0
-
SHA256
b9639292da78d70e67c97ce1bffe2167c0245a7a03746907826f7077ba032e1e
-
SHA512
b83217325a0a233790212c53b1dfcbece33bea7a8df76fc879260e1616bc04f1ac41ecf5214379a701a214626d350cf69c6e7f4e437f61349f4279a76d157411
-
SSDEEP
24576:RtuKaWhtDUbBfJXAENZJf4hhyW44byzmWbU/W2VM0UccSzrydM8oBNZBVSr6btN1:2fWhNaBfJXAE3JUyW44bahbU/WK1Ucci
Malware Config
Signatures
-
Loads dropped DLL 3 IoCs
pid Process 3940 rundll32.exe 3940 rundll32.exe 4640 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings b9639292da78d70e67c97ce1bffe2167c0245a7a03746907826f7077ba032e1e.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2272 wrote to memory of 2496 2272 b9639292da78d70e67c97ce1bffe2167c0245a7a03746907826f7077ba032e1e.exe 66 PID 2272 wrote to memory of 2496 2272 b9639292da78d70e67c97ce1bffe2167c0245a7a03746907826f7077ba032e1e.exe 66 PID 2272 wrote to memory of 2496 2272 b9639292da78d70e67c97ce1bffe2167c0245a7a03746907826f7077ba032e1e.exe 66 PID 2496 wrote to memory of 3940 2496 control.exe 68 PID 2496 wrote to memory of 3940 2496 control.exe 68 PID 2496 wrote to memory of 3940 2496 control.exe 68 PID 3940 wrote to memory of 4476 3940 rundll32.exe 69 PID 3940 wrote to memory of 4476 3940 rundll32.exe 69 PID 4476 wrote to memory of 4640 4476 RunDll32.exe 70 PID 4476 wrote to memory of 4640 4476 RunDll32.exe 70 PID 4476 wrote to memory of 4640 4476 RunDll32.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9639292da78d70e67c97ce1bffe2167c0245a7a03746907826f7077ba032e1e.exe"C:\Users\Admin\AppData\Local\Temp\b9639292da78d70e67c97ce1bffe2167c0245a7a03746907826f7077ba032e1e.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\6YU5RMau.Cpl",2⤵
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\6YU5RMau.Cpl",3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\6YU5RMau.Cpl",4⤵
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\6YU5RMau.Cpl",5⤵
- Loads dropped DLL
PID:4640
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD50e9eb7f4e027379eff9d6aeeb2cb5156
SHA18973e12d0a193cca69e1389c057be8e73d9a3862
SHA256d7a17d9cf006b31e8f53108c53e3ecabcd831cc34531a5a01b3bdf8f1a6a8bd6
SHA5124d9cd2e9c11881c1d9df3c01a1d6385e843e17629ed1a4f27b95067cba83c42496ebc68348569c2e93b4d70f73b679a4af690ed9403caf40e27b99737c099346
-
Filesize
1.1MB
MD50e9eb7f4e027379eff9d6aeeb2cb5156
SHA18973e12d0a193cca69e1389c057be8e73d9a3862
SHA256d7a17d9cf006b31e8f53108c53e3ecabcd831cc34531a5a01b3bdf8f1a6a8bd6
SHA5124d9cd2e9c11881c1d9df3c01a1d6385e843e17629ed1a4f27b95067cba83c42496ebc68348569c2e93b4d70f73b679a4af690ed9403caf40e27b99737c099346
-
Filesize
1.1MB
MD50e9eb7f4e027379eff9d6aeeb2cb5156
SHA18973e12d0a193cca69e1389c057be8e73d9a3862
SHA256d7a17d9cf006b31e8f53108c53e3ecabcd831cc34531a5a01b3bdf8f1a6a8bd6
SHA5124d9cd2e9c11881c1d9df3c01a1d6385e843e17629ed1a4f27b95067cba83c42496ebc68348569c2e93b4d70f73b679a4af690ed9403caf40e27b99737c099346
-
Filesize
1.1MB
MD50e9eb7f4e027379eff9d6aeeb2cb5156
SHA18973e12d0a193cca69e1389c057be8e73d9a3862
SHA256d7a17d9cf006b31e8f53108c53e3ecabcd831cc34531a5a01b3bdf8f1a6a8bd6
SHA5124d9cd2e9c11881c1d9df3c01a1d6385e843e17629ed1a4f27b95067cba83c42496ebc68348569c2e93b4d70f73b679a4af690ed9403caf40e27b99737c099346