Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
06/07/2023, 19:47
Static task
static1
Behavioral task
behavioral1
Sample
bootdecoder.zip
Resource
win10-20230703-en
General
-
Target
bootdecoder.zip
-
Size
341KB
-
MD5
276944486fe92de4379efd9dcf667fa8
-
SHA1
6df2b78653774f263d149d7d1f8803b7f95e2a4c
-
SHA256
4092271557d4677645efabdac5c87df345de795f01e0e68a1da3c0a5d7fa11e5
-
SHA512
037363567bca262240a3febe1015f70d6d288ca549ac55f79f183efda47da8a44e2ce2fc5e6dd0e1e5d4bd5b5fd101a96eca235103dd92bc9f6a00cc355f4b11
-
SSDEEP
6144:PR9Dm7m3oue9XcS97D2km7aNti8OP0j8jlO:PR9gYtelRKuNtircj85O
Malware Config
Signatures
-
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4312 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 492 wrote to memory of 4728 492 cmd.exe 78 PID 492 wrote to memory of 4728 492 cmd.exe 78 PID 4728 wrote to memory of 3788 4728 lua.exe 79 PID 4728 wrote to memory of 3788 4728 lua.exe 79 PID 3788 wrote to memory of 3884 3788 cmd.exe 80 PID 3788 wrote to memory of 3884 3788 cmd.exe 80 PID 492 wrote to memory of 2100 492 cmd.exe 81 PID 492 wrote to memory of 2100 492 cmd.exe 81 PID 2100 wrote to memory of 4712 2100 lua.exe 82 PID 2100 wrote to memory of 4712 2100 lua.exe 82 PID 4712 wrote to memory of 3928 4712 cmd.exe 83 PID 4712 wrote to memory of 3928 4712 cmd.exe 83
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\bootdecoder.zip1⤵PID:4156
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\CompressResolve.ps1xml1⤵
- Opens file in notepad (likely ransom note)
PID:4312
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:732
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Users\Admin\Desktop\bootdecoder\lua.exelua.exe extract.lua2⤵
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndisasm.exe extracted.bin -o extracted_asm.asm3⤵
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Users\Admin\Desktop\bootdecoder\ndisasm.exendisasm.exe extracted.bin -o extracted_asm.asm4⤵PID:3884
-
-
-
-
C:\Users\Admin\Desktop\bootdecoder\lua.exelua.exe extract.lua2⤵
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndisasm.exe extracted.bin -o extracted_asm.asm3⤵
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Users\Admin\Desktop\bootdecoder\ndisasm.exendisasm.exe extracted.bin -o extracted_asm.asm4⤵PID:3928
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD59c44c975675cf21b84fdfe4a6e1569ef
SHA1665d545bffc0d951663c580d075ba257848a45ed
SHA2568a798cdb3fe69f4563e592db8a6138f9c2bf77d2aabd745ab85fc95e79decbdd
SHA5129d32fdffd2855383aec3da63bf93881b187af428e25a598fa95e096ce0f645346b7ab64bf063245a7f4f71803fe78ffbb8d6f110087391d076be683d7a50a5fe