Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
30/03/2023, 08:30
Static task
static1
Behavioral task
behavioral1
Sample
619560ad8b3bbdb98474e12d56d8d9787a1f46f56026434d875d85633fbc774b.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
619560ad8b3bbdb98474e12d56d8d9787a1f46f56026434d875d85633fbc774b.exe
Resource
win10v2004-20230220-en
General
-
Target
619560ad8b3bbdb98474e12d56d8d9787a1f46f56026434d875d85633fbc774b.exe
-
Size
1.0MB
-
MD5
167f00a4fb8f80cc6b8641ef4bb69e58
-
SHA1
87e5648e6b778d9026d784581848d55f467211e1
-
SHA256
619560ad8b3bbdb98474e12d56d8d9787a1f46f56026434d875d85633fbc774b
-
SHA512
89f2471f398109fc9a327aca1c9c5cc4e03c016afba21aad2c56544b0ea93c8638a6a289585faea3abe671a2168ea970f297207a7b712bb269f9b00e0e23ed4c
-
SSDEEP
24576:l0a58Wc7x4TyjheHod9XxeDNmRJLduNtjKaDaxSEFJO:lrcGujPeDN4pu/2XxSEFE
Malware Config
Signatures
-
Stops running service(s) 3 TTPs
-
Loads dropped DLL 7 IoCs
pid Process 4424 619560ad8b3bbdb98474e12d56d8d9787a1f46f56026434d875d85633fbc774b.exe 4424 619560ad8b3bbdb98474e12d56d8d9787a1f46f56026434d875d85633fbc774b.exe 4424 619560ad8b3bbdb98474e12d56d8d9787a1f46f56026434d875d85633fbc774b.exe 4424 619560ad8b3bbdb98474e12d56d8d9787a1f46f56026434d875d85633fbc774b.exe 4424 619560ad8b3bbdb98474e12d56d8d9787a1f46f56026434d875d85633fbc774b.exe 4424 619560ad8b3bbdb98474e12d56d8d9787a1f46f56026434d875d85633fbc774b.exe 4424 619560ad8b3bbdb98474e12d56d8d9787a1f46f56026434d875d85633fbc774b.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\CCB_HDZB_2G_P11.dll 619560ad8b3bbdb98474e12d56d8d9787a1f46f56026434d875d85633fbc774b.exe File created C:\Windows\system32\CCB_HDZB_2G_P11.dll 619560ad8b3bbdb98474e12d56d8d9787a1f46f56026434d875d85633fbc774b.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\CCBComponents\Plugins\npHDZB2gSNCtrl.dll 619560ad8b3bbdb98474e12d56d8d9787a1f46f56026434d875d85633fbc774b.exe File created C:\Program Files (x86)\CCBComponents\Plugins\CARoot\Cert_HDZB_2G_Firefox.exe 619560ad8b3bbdb98474e12d56d8d9787a1f46f56026434d875d85633fbc774b.exe File opened for modification C:\Program Files (x86)\CCBComponents\HDZB\log\20230330.log 619560ad8b3bbdb98474e12d56d8d9787a1f46f56026434d875d85633fbc774b.exe File created C:\Program Files (x86)\CCBComponents\Plugins\npHDZB2gCertCtrl.dll 619560ad8b3bbdb98474e12d56d8d9787a1f46f56026434d875d85633fbc774b.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2032 sc.exe 524 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4424 619560ad8b3bbdb98474e12d56d8d9787a1f46f56026434d875d85633fbc774b.exe 4424 619560ad8b3bbdb98474e12d56d8d9787a1f46f56026434d875d85633fbc774b.exe 4424 619560ad8b3bbdb98474e12d56d8d9787a1f46f56026434d875d85633fbc774b.exe 4424 619560ad8b3bbdb98474e12d56d8d9787a1f46f56026434d875d85633fbc774b.exe 4424 619560ad8b3bbdb98474e12d56d8d9787a1f46f56026434d875d85633fbc774b.exe 4424 619560ad8b3bbdb98474e12d56d8d9787a1f46f56026434d875d85633fbc774b.exe 4424 619560ad8b3bbdb98474e12d56d8d9787a1f46f56026434d875d85633fbc774b.exe 4424 619560ad8b3bbdb98474e12d56d8d9787a1f46f56026434d875d85633fbc774b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4424 wrote to memory of 1456 4424 619560ad8b3bbdb98474e12d56d8d9787a1f46f56026434d875d85633fbc774b.exe 85 PID 4424 wrote to memory of 1456 4424 619560ad8b3bbdb98474e12d56d8d9787a1f46f56026434d875d85633fbc774b.exe 85 PID 4424 wrote to memory of 1456 4424 619560ad8b3bbdb98474e12d56d8d9787a1f46f56026434d875d85633fbc774b.exe 85 PID 1456 wrote to memory of 2032 1456 cmd.exe 87 PID 1456 wrote to memory of 2032 1456 cmd.exe 87 PID 1456 wrote to memory of 2032 1456 cmd.exe 87 PID 4424 wrote to memory of 3484 4424 619560ad8b3bbdb98474e12d56d8d9787a1f46f56026434d875d85633fbc774b.exe 88 PID 4424 wrote to memory of 3484 4424 619560ad8b3bbdb98474e12d56d8d9787a1f46f56026434d875d85633fbc774b.exe 88 PID 4424 wrote to memory of 3484 4424 619560ad8b3bbdb98474e12d56d8d9787a1f46f56026434d875d85633fbc774b.exe 88 PID 3484 wrote to memory of 524 3484 cmd.exe 90 PID 3484 wrote to memory of 524 3484 cmd.exe 90 PID 3484 wrote to memory of 524 3484 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\619560ad8b3bbdb98474e12d56d8d9787a1f46f56026434d875d85633fbc774b.exe"C:\Users\Admin\AppData\Local\Temp\619560ad8b3bbdb98474e12d56d8d9787a1f46f56026434d875d85633fbc774b.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\cmd.execmd /C C:\Windows\system32\sc.exe STOP "HDZB_DeviceService_For_CCB_2G"2⤵
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe STOP "HDZB_DeviceService_For_CCB_2G"3⤵
- Launches sc.exe
PID:2032
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C C:\Windows\system32\sc.exe delete "HDZB_DeviceService_For_CCB_2G"2⤵
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe delete "HDZB_DeviceService_For_CCB_2G"3⤵
- Launches sc.exe
PID:524
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
934B
MD50de11480862926699c3f32cbf53cef19
SHA1a3b1a83060a5eb6fdc71b0d261c882b826f08fda
SHA256f0ddce68134ef9c9be58a2f6b86cd0376c445b5b1963b76ff9535603fe5a111f
SHA512eaccd9b4ac98942487b246d9258f1588c93d384691b94deb88e7477033264afc89b71dac905868f39113ace6981c0c61a56697bfb53a378420370944d77ebacc
-
Filesize
11KB
MD5959ea64598b9a3e494c00e8fa793be7e
SHA140f284a3b92c2f04b1038def79579d4b3d066ee0
SHA25603cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b
SHA5125e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64
-
Filesize
11KB
MD5959ea64598b9a3e494c00e8fa793be7e
SHA140f284a3b92c2f04b1038def79579d4b3d066ee0
SHA25603cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b
SHA5125e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64
-
Filesize
6KB
MD508e9796ca20c5fc5076e3ac05fb5709a
SHA107971d52dcbaa1054060073571ced046347177f7
SHA2568165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af
SHA51202618317d6ab0302324aae4d3c5fca56b21e68c899e211cfa9412cf73820a1f931e56753c904fd7e510c638b4463aedbfe9536790279e096ea0387b67013e0c4
-
Filesize
6KB
MD508e9796ca20c5fc5076e3ac05fb5709a
SHA107971d52dcbaa1054060073571ced046347177f7
SHA2568165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af
SHA51202618317d6ab0302324aae4d3c5fca56b21e68c899e211cfa9412cf73820a1f931e56753c904fd7e510c638b4463aedbfe9536790279e096ea0387b67013e0c4
-
Filesize
6KB
MD508e9796ca20c5fc5076e3ac05fb5709a
SHA107971d52dcbaa1054060073571ced046347177f7
SHA2568165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af
SHA51202618317d6ab0302324aae4d3c5fca56b21e68c899e211cfa9412cf73820a1f931e56753c904fd7e510c638b4463aedbfe9536790279e096ea0387b67013e0c4
-
Filesize
6KB
MD508e9796ca20c5fc5076e3ac05fb5709a
SHA107971d52dcbaa1054060073571ced046347177f7
SHA2568165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af
SHA51202618317d6ab0302324aae4d3c5fca56b21e68c899e211cfa9412cf73820a1f931e56753c904fd7e510c638b4463aedbfe9536790279e096ea0387b67013e0c4
-
Filesize
6KB
MD508e9796ca20c5fc5076e3ac05fb5709a
SHA107971d52dcbaa1054060073571ced046347177f7
SHA2568165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af
SHA51202618317d6ab0302324aae4d3c5fca56b21e68c899e211cfa9412cf73820a1f931e56753c904fd7e510c638b4463aedbfe9536790279e096ea0387b67013e0c4
-
Filesize
4KB
MD5f0438a894f3a7e01a4aae8d1b5dd0289
SHA1b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA25630c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7
-
Filesize
4KB
MD5f0438a894f3a7e01a4aae8d1b5dd0289
SHA1b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA25630c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7
-
Filesize
4KB
MD5f0438a894f3a7e01a4aae8d1b5dd0289
SHA1b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA25630c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7