Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
09/07/2023, 11:12
Behavioral task
behavioral1
Sample
902d3e298d0afaexeexeexeex.exe
Resource
win7-20230703-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
902d3e298d0afaexeexeexeex.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
902d3e298d0afaexeexeexeex.exe
-
Size
73KB
-
MD5
902d3e298d0afa25ef3a46720fa0f15a
-
SHA1
8a4d107fed4a16e97e355097bd5ed9bcdd710bdd
-
SHA256
d643955488941c2ff39fe6ae12f582b36d68220d533702e016609f3f6b1533fe
-
SHA512
8f542f81bddb2ccf3220508b487f3a5a8dafa55a76bb6c453d4c559a6d91faddb930fd66384d54b4f8510aa543becf26550a32f60f595da5ac003775a1071dbe
-
SSDEEP
1536:sgSeGDjtQhnwmmB0yjMqqUM2mr3IdE8mne0Avu5r++yy7CA7GcIaapavdv:sMSjOnrmBbMqqMmr3IdE8we0Avu5r++N
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 902d3e298d0afaexeexeexeex.exe Set value (str) \REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vpafpatqlfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\902d3e298d0afaexeexeexeex.exe" 902d3e298d0afaexeexeexeex.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\I: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\J: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\M: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\T: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\U: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\E: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\F: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\P: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\Q: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\S: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\X: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\O: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\R: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\A: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\B: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\G: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\K: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\L: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\N: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\V: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\W: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\Y: 902d3e298d0afaexeexeexeex.exe File opened (read-only) \??\Z: 902d3e298d0afaexeexeexeex.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 902d3e298d0afaexeexeexeex.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 902d3e298d0afaexeexeexeex.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 902d3e298d0afaexeexeexeex.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2436 902d3e298d0afaexeexeexeex.exe 2436 902d3e298d0afaexeexeexeex.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 2436 wrote to memory of 1112 2436 902d3e298d0afaexeexeexeex.exe 29 PID 2436 wrote to memory of 1112 2436 902d3e298d0afaexeexeexeex.exe 29 PID 2436 wrote to memory of 1112 2436 902d3e298d0afaexeexeexeex.exe 29 PID 2436 wrote to memory of 1112 2436 902d3e298d0afaexeexeexeex.exe 29 PID 2436 wrote to memory of 3036 2436 902d3e298d0afaexeexeexeex.exe 31 PID 2436 wrote to memory of 3036 2436 902d3e298d0afaexeexeexeex.exe 31 PID 2436 wrote to memory of 3036 2436 902d3e298d0afaexeexeexeex.exe 31 PID 2436 wrote to memory of 3036 2436 902d3e298d0afaexeexeexeex.exe 31 PID 2436 wrote to memory of 2188 2436 902d3e298d0afaexeexeexeex.exe 33 PID 2436 wrote to memory of 2188 2436 902d3e298d0afaexeexeexeex.exe 33 PID 2436 wrote to memory of 2188 2436 902d3e298d0afaexeexeexeex.exe 33 PID 2436 wrote to memory of 2188 2436 902d3e298d0afaexeexeexeex.exe 33 PID 2436 wrote to memory of 2128 2436 902d3e298d0afaexeexeexeex.exe 35 PID 2436 wrote to memory of 2128 2436 902d3e298d0afaexeexeexeex.exe 35 PID 2436 wrote to memory of 2128 2436 902d3e298d0afaexeexeexeex.exe 35 PID 2436 wrote to memory of 2128 2436 902d3e298d0afaexeexeexeex.exe 35 PID 2436 wrote to memory of 1304 2436 902d3e298d0afaexeexeexeex.exe 37 PID 2436 wrote to memory of 1304 2436 902d3e298d0afaexeexeexeex.exe 37 PID 2436 wrote to memory of 1304 2436 902d3e298d0afaexeexeexeex.exe 37 PID 2436 wrote to memory of 1304 2436 902d3e298d0afaexeexeexeex.exe 37 PID 2436 wrote to memory of 2236 2436 902d3e298d0afaexeexeexeex.exe 39 PID 2436 wrote to memory of 2236 2436 902d3e298d0afaexeexeexeex.exe 39 PID 2436 wrote to memory of 2236 2436 902d3e298d0afaexeexeexeex.exe 39 PID 2436 wrote to memory of 2236 2436 902d3e298d0afaexeexeexeex.exe 39 PID 2436 wrote to memory of 880 2436 902d3e298d0afaexeexeexeex.exe 41 PID 2436 wrote to memory of 880 2436 902d3e298d0afaexeexeexeex.exe 41 PID 2436 wrote to memory of 880 2436 902d3e298d0afaexeexeexeex.exe 41 PID 2436 wrote to memory of 880 2436 902d3e298d0afaexeexeexeex.exe 41 PID 2436 wrote to memory of 2980 2436 902d3e298d0afaexeexeexeex.exe 43 PID 2436 wrote to memory of 2980 2436 902d3e298d0afaexeexeexeex.exe 43 PID 2436 wrote to memory of 2980 2436 902d3e298d0afaexeexeexeex.exe 43 PID 2436 wrote to memory of 2980 2436 902d3e298d0afaexeexeexeex.exe 43 PID 2436 wrote to memory of 2388 2436 902d3e298d0afaexeexeexeex.exe 45 PID 2436 wrote to memory of 2388 2436 902d3e298d0afaexeexeexeex.exe 45 PID 2436 wrote to memory of 2388 2436 902d3e298d0afaexeexeexeex.exe 45 PID 2436 wrote to memory of 2388 2436 902d3e298d0afaexeexeexeex.exe 45 PID 2436 wrote to memory of 2836 2436 902d3e298d0afaexeexeexeex.exe 47 PID 2436 wrote to memory of 2836 2436 902d3e298d0afaexeexeexeex.exe 47 PID 2436 wrote to memory of 2836 2436 902d3e298d0afaexeexeexeex.exe 47 PID 2436 wrote to memory of 2836 2436 902d3e298d0afaexeexeexeex.exe 47 PID 2436 wrote to memory of 2768 2436 902d3e298d0afaexeexeexeex.exe 49 PID 2436 wrote to memory of 2768 2436 902d3e298d0afaexeexeexeex.exe 49 PID 2436 wrote to memory of 2768 2436 902d3e298d0afaexeexeexeex.exe 49 PID 2436 wrote to memory of 2768 2436 902d3e298d0afaexeexeexeex.exe 49 PID 2436 wrote to memory of 2784 2436 902d3e298d0afaexeexeexeex.exe 51 PID 2436 wrote to memory of 2784 2436 902d3e298d0afaexeexeexeex.exe 51 PID 2436 wrote to memory of 2784 2436 902d3e298d0afaexeexeexeex.exe 51 PID 2436 wrote to memory of 2784 2436 902d3e298d0afaexeexeexeex.exe 51 PID 2436 wrote to memory of 2532 2436 902d3e298d0afaexeexeexeex.exe 53 PID 2436 wrote to memory of 2532 2436 902d3e298d0afaexeexeexeex.exe 53 PID 2436 wrote to memory of 2532 2436 902d3e298d0afaexeexeexeex.exe 53 PID 2436 wrote to memory of 2532 2436 902d3e298d0afaexeexeexeex.exe 53
Processes
-
C:\Users\Admin\AppData\Local\Temp\902d3e298d0afaexeexeexeex.exe"C:\Users\Admin\AppData\Local\Temp\902d3e298d0afaexeexeexeex.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:1112
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵PID:3036
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:2188
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:2128
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵PID:1304
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:2236
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:880
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵PID:2980
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:2388
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:2836
-
-
C:\Windows\SysWOW64\nslookup.exenslookup emsisoft.bit dns1.soprodns.ru2⤵PID:2768
-
-
C:\Windows\SysWOW64\nslookup.exenslookup gandcrab.bit dns1.soprodns.ru2⤵PID:2784
-
-
C:\Windows\SysWOW64\nslookup.exenslookup nomoreransom.bit dns1.soprodns.ru2⤵PID:2532
-