Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/12/2023, 14:54

General

  • Target

    026eb02c34da452f7e5d4289c0be85b0.exe

  • Size

    3.6MB

  • MD5

    026eb02c34da452f7e5d4289c0be85b0

  • SHA1

    cc71d0e6310534b1e4e51d894c811388b72b5812

  • SHA256

    c769d18467a420260b285209c29bff106ccafc279f20dc602b9fc69d4e78c8ac

  • SHA512

    0811f0593a8aed64a6e526f0addc18b9e575df4789d04f08c36a4fa6ad62e14d6a7ce1219972dafaed4a1f44fbddd063b4cb58144b748940a45ae682c208831c

  • SSDEEP

    49152:6w6A5EYjP4F93TagGwmiS4rq+Ei88e76CjzOQmAqaAams:6w6A5EYjP1gPlBK8L3nLaA

Malware Config

Signatures

  • Ekans

    Variant of Snake Ransomware. Targets ICS infrastructure, known to have been used against Honda in June 2020.

  • Ekans Ransomware 2 IoCs

    Executable looks like Ekans ICS ransomware sample.

  • Zebrocy

    Zebrocy is a backdoor created by Sofacy threat group and has multiple variants developed in different languages.

  • Zebrocy Go Variant 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\026eb02c34da452f7e5d4289c0be85b0.exe
    "C:\Users\Admin\AppData\Local\Temp\026eb02c34da452f7e5d4289c0be85b0.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Users\Admin\AppData\Local\Temp\dump.exe
      dump.exe
      2⤵
      • Executes dropped EXE
      PID:1308
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 276
        3⤵
        • Program crash
        PID:2044
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 344
      2⤵
      • Program crash
      PID:3264
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1936 -ip 1936
    1⤵
      PID:1304
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1308 -ip 1308
      1⤵
        PID:4612

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\dump.exe

        Filesize

        122KB

        MD5

        da5eb128c90d9866663cdc023e947abc

        SHA1

        62de549183bd5e1ed8552248fd9ceb57219e2f0a

        SHA256

        7e8d8585cde1222c9ef99ec657837c1cd298097ad467af6a0f3c8697f20d0ece

        SHA512

        1b3e39ff7eb0413920da06dce365cc47a6764704769bac5cbb7f49f1d57bbbeaa68277958bbcc7db5c8ca68ec67b43b63796b520d19043ec9820044ca345ee91

      • C:\Users\Admin\AppData\Local\Temp\dump.exe

        Filesize

        114KB

        MD5

        eb33679f962d6fb57a38abb2d97befab

        SHA1

        51fd0014b62348ab91f5b7ca259bd48ad7e72bab

        SHA256

        c7ceeb2ab7aeecebb9dead9a3f59d42af5fe7576b3d462a04cf3e8003c113de1

        SHA512

        ba6941bfa117106d53542b0812173936902a4c7357bab9994c8ab08601e36f1324119c5f004085ea8bea3a2c1d200d4155d2fbb3b1afc924e383c2a092cf6dfa