Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
71s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
17/04/2023, 08:01
Static task
static1
Behavioral task
behavioral1
Sample
image001.gz
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
image001.gz
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
sample
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
sample
Resource
win10v2004-20230220-en
General
-
Target
image001.gz
-
Size
4KB
-
MD5
e7ec5eab039e0482906db65773b4206b
-
SHA1
0bb672abd4bf19c9040d2f596b8d99ac09caf843
-
SHA256
c094983226741f872596b3221643cc0c2ea1de96253eca5cd49b32df52df3f46
-
SHA512
a5a9323eb33c7a25d9be7ea0c1bf61213c9adeab16aaec883bcb4eeec3ce21b80c370767d5dae57e38d6864926f2c5023af2e8e69b3a1883922a23bd7e347361
-
SSDEEP
96:ZyIym0J4yUPyJdjRJAaXJx409diOzo31uHEKDcimb4ct947LF8rjl:sIyhM6JzGaXJnDo905Ux
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1708 NOTEPAD.EXE -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 1232 OpenWith.exe 1232 OpenWith.exe 1232 OpenWith.exe 1232 OpenWith.exe 1232 OpenWith.exe 1232 OpenWith.exe 1232 OpenWith.exe 1232 OpenWith.exe 1232 OpenWith.exe 1232 OpenWith.exe 1232 OpenWith.exe 1232 OpenWith.exe 1232 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1232 wrote to memory of 1708 1232 OpenWith.exe 93 PID 1232 wrote to memory of 1708 1232 OpenWith.exe 93
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\image001.gz1⤵
- Modifies registry class
PID:2552
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\image001.gz2⤵
- Opens file in notepad (likely ransom note)
PID:1708
-