Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20230705-en -
resource tags
arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system -
submitted
08/07/2023, 18:16
Behavioral task
behavioral1
Sample
902d3e298d0afaexeexeexeex.exe
Resource
win7-20230705-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
902d3e298d0afaexeexeexeex.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
902d3e298d0afaexeexeexeex.exe
-
Size
73KB
-
MD5
902d3e298d0afa25ef3a46720fa0f15a
-
SHA1
8a4d107fed4a16e97e355097bd5ed9bcdd710bdd
-
SHA256
d643955488941c2ff39fe6ae12f582b36d68220d533702e016609f3f6b1533fe
-
SHA512
8f542f81bddb2ccf3220508b487f3a5a8dafa55a76bb6c453d4c559a6d91faddb930fd66384d54b4f8510aa543becf26550a32f60f595da5ac003775a1071dbe
-
SSDEEP
1536:sgSeGDjtQhnwmmB0yjMqqUM2mr3IdE8mne0Avu5r++yy7CA7GcIaapavdv:sMSjOnrmBbMqqMmr3IdE8we0Avu5r++N
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 902d3e298d0afaexeexeexeex.exe Set value (str) \REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jwwbnddyznh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\902d3e298d0afaexeexeexeex.exe" 902d3e298d0afaexeexeexeex.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\M: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\T: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\W: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\X: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\E: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\J: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\O: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\R: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\S: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\V: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\Z: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\A: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\B: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\F: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\G: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\I: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\K: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\P: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\H: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\N: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\Q: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\U: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\Y: 902d3e298d0afaexeexeexeex.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 902d3e298d0afaexeexeexeex.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 902d3e298d0afaexeexeexeex.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 902d3e298d0afaexeexeexeex.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 816 902d3e298d0afaexeexeexeex.exe 816 902d3e298d0afaexeexeexeex.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 816 wrote to memory of 2096 816 902d3e298d0afaexeexeexeex.exe 29 PID 816 wrote to memory of 2096 816 902d3e298d0afaexeexeexeex.exe 29 PID 816 wrote to memory of 2096 816 902d3e298d0afaexeexeexeex.exe 29 PID 816 wrote to memory of 2096 816 902d3e298d0afaexeexeexeex.exe 29 PID 816 wrote to memory of 1628 816 902d3e298d0afaexeexeexeex.exe 31 PID 816 wrote to memory of 1628 816 902d3e298d0afaexeexeexeex.exe 31 PID 816 wrote to memory of 1628 816 902d3e298d0afaexeexeexeex.exe 31 PID 816 wrote to memory of 1628 816 902d3e298d0afaexeexeexeex.exe 31 PID 816 wrote to memory of 1260 816 902d3e298d0afaexeexeexeex.exe 33 PID 816 wrote to memory of 1260 816 902d3e298d0afaexeexeexeex.exe 33 PID 816 wrote to memory of 1260 816 902d3e298d0afaexeexeexeex.exe 33 PID 816 wrote to memory of 1260 816 902d3e298d0afaexeexeexeex.exe 33 PID 816 wrote to memory of 2024 816 902d3e298d0afaexeexeexeex.exe 35 PID 816 wrote to memory of 2024 816 902d3e298d0afaexeexeexeex.exe 35 PID 816 wrote to memory of 2024 816 902d3e298d0afaexeexeexeex.exe 35 PID 816 wrote to memory of 2024 816 902d3e298d0afaexeexeexeex.exe 35 PID 816 wrote to memory of 908 816 902d3e298d0afaexeexeexeex.exe 37 PID 816 wrote to memory of 908 816 902d3e298d0afaexeexeexeex.exe 37 PID 816 wrote to memory of 908 816 902d3e298d0afaexeexeexeex.exe 37 PID 816 wrote to memory of 908 816 902d3e298d0afaexeexeexeex.exe 37 PID 816 wrote to memory of 2928 816 902d3e298d0afaexeexeexeex.exe 39 PID 816 wrote to memory of 2928 816 902d3e298d0afaexeexeexeex.exe 39 PID 816 wrote to memory of 2928 816 902d3e298d0afaexeexeexeex.exe 39 PID 816 wrote to memory of 2928 816 902d3e298d0afaexeexeexeex.exe 39 PID 816 wrote to memory of 1204 816 902d3e298d0afaexeexeexeex.exe 41 PID 816 wrote to memory of 1204 816 902d3e298d0afaexeexeexeex.exe 41 PID 816 wrote to memory of 1204 816 902d3e298d0afaexeexeexeex.exe 41 PID 816 wrote to memory of 1204 816 902d3e298d0afaexeexeexeex.exe 41 PID 816 wrote to memory of 2240 816 902d3e298d0afaexeexeexeex.exe 43 PID 816 wrote to memory of 2240 816 902d3e298d0afaexeexeexeex.exe 43 PID 816 wrote to memory of 2240 816 902d3e298d0afaexeexeexeex.exe 43 PID 816 wrote to memory of 2240 816 902d3e298d0afaexeexeexeex.exe 43 PID 816 wrote to memory of 2060 816 902d3e298d0afaexeexeexeex.exe 45 PID 816 wrote to memory of 2060 816 902d3e298d0afaexeexeexeex.exe 45 PID 816 wrote to memory of 2060 816 902d3e298d0afaexeexeexeex.exe 45 PID 816 wrote to memory of 2060 816 902d3e298d0afaexeexeexeex.exe 45 PID 816 wrote to memory of 2532 816 902d3e298d0afaexeexeexeex.exe 47 PID 816 wrote to memory of 2532 816 902d3e298d0afaexeexeexeex.exe 47 PID 816 wrote to memory of 2532 816 902d3e298d0afaexeexeexeex.exe 47 PID 816 wrote to memory of 2532 816 902d3e298d0afaexeexeexeex.exe 47 PID 816 wrote to memory of 2544 816 902d3e298d0afaexeexeexeex.exe 49 PID 816 wrote to memory of 2544 816 902d3e298d0afaexeexeexeex.exe 49 PID 816 wrote to memory of 2544 816 902d3e298d0afaexeexeexeex.exe 49 PID 816 wrote to memory of 2544 816 902d3e298d0afaexeexeexeex.exe 49 PID 816 wrote to memory of 2696 816 902d3e298d0afaexeexeexeex.exe 51 PID 816 wrote to memory of 2696 816 902d3e298d0afaexeexeexeex.exe 51 PID 816 wrote to memory of 2696 816 902d3e298d0afaexeexeexeex.exe 51 PID 816 wrote to memory of 2696 816 902d3e298d0afaexeexeexeex.exe 51 PID 816 wrote to memory of 2708 816 902d3e298d0afaexeexeexeex.exe 53 PID 816 wrote to memory of 2708 816 902d3e298d0afaexeexeexeex.exe 53 PID 816 wrote to memory of 2708 816 902d3e298d0afaexeexeexeex.exe 53 PID 816 wrote to memory of 2708 816 902d3e298d0afaexeexeexeex.exe 53 PID 816 wrote to memory of 2568 816 902d3e298d0afaexeexeexeex.exe 55 PID 816 wrote to memory of 2568 816 902d3e298d0afaexeexeexeex.exe 55 PID 816 wrote to memory of 2568 816 902d3e298d0afaexeexeexeex.exe 55 PID 816 wrote to memory of 2568 816 902d3e298d0afaexeexeexeex.exe 55
Processes
-
C:\Users\Admin\AppData\Local\Temp\902d3e298d0afaexeexeexeex.exe"C:\Users\Admin\AppData\Local\Temp\902d3e298d0afaexeexeexeex.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:2096
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵PID:1628
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:1260
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:2024
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵PID:908
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:2928
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:1204
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵PID:2240
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:2060
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:2532
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵PID:2544
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:2696
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:2708
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵PID:2568
-