Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24/12/2023, 14:54
Static task
static1
Behavioral task
behavioral1
Sample
026eb02c34da452f7e5d4289c0be85b0.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
026eb02c34da452f7e5d4289c0be85b0.exe
Resource
win10v2004-20231215-en
General
-
Target
026eb02c34da452f7e5d4289c0be85b0.exe
-
Size
3.6MB
-
MD5
026eb02c34da452f7e5d4289c0be85b0
-
SHA1
cc71d0e6310534b1e4e51d894c811388b72b5812
-
SHA256
c769d18467a420260b285209c29bff106ccafc279f20dc602b9fc69d4e78c8ac
-
SHA512
0811f0593a8aed64a6e526f0addc18b9e575df4789d04f08c36a4fa6ad62e14d6a7ce1219972dafaed4a1f44fbddd063b4cb58144b748940a45ae682c208831c
-
SSDEEP
49152:6w6A5EYjP4F93TagGwmiS4rq+Ei88e76CjzOQmAqaAams:6w6A5EYjP1gPlBK8L3nLaA
Malware Config
Signatures
-
Ekans
Variant of Snake Ransomware. Targets ICS infrastructure, known to have been used against Honda in June 2020.
-
Ekans Ransomware 2 IoCs
Executable looks like Ekans ICS ransomware sample.
resource yara_rule behavioral2/files/0x000e000000023192-4.dat family_ekans behavioral2/files/0x000e000000023192-3.dat family_ekans -
Zebrocy Go Variant 2 IoCs
resource yara_rule behavioral2/files/0x000e000000023192-4.dat Zebrocy behavioral2/files/0x000e000000023192-3.dat Zebrocy -
Executes dropped EXE 1 IoCs
pid Process 1308 dump.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 2044 1308 WerFault.exe 21 3264 1936 WerFault.exe 14 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1936 wrote to memory of 1308 1936 026eb02c34da452f7e5d4289c0be85b0.exe 21 PID 1936 wrote to memory of 1308 1936 026eb02c34da452f7e5d4289c0be85b0.exe 21 PID 1936 wrote to memory of 1308 1936 026eb02c34da452f7e5d4289c0be85b0.exe 21
Processes
-
C:\Users\Admin\AppData\Local\Temp\026eb02c34da452f7e5d4289c0be85b0.exe"C:\Users\Admin\AppData\Local\Temp\026eb02c34da452f7e5d4289c0be85b0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\dump.exedump.exe2⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 2763⤵
- Program crash
PID:2044
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 3442⤵
- Program crash
PID:3264
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1936 -ip 19361⤵PID:1304
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1308 -ip 13081⤵PID:4612
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
122KB
MD5da5eb128c90d9866663cdc023e947abc
SHA162de549183bd5e1ed8552248fd9ceb57219e2f0a
SHA2567e8d8585cde1222c9ef99ec657837c1cd298097ad467af6a0f3c8697f20d0ece
SHA5121b3e39ff7eb0413920da06dce365cc47a6764704769bac5cbb7f49f1d57bbbeaa68277958bbcc7db5c8ca68ec67b43b63796b520d19043ec9820044ca345ee91
-
Filesize
114KB
MD5eb33679f962d6fb57a38abb2d97befab
SHA151fd0014b62348ab91f5b7ca259bd48ad7e72bab
SHA256c7ceeb2ab7aeecebb9dead9a3f59d42af5fe7576b3d462a04cf3e8003c113de1
SHA512ba6941bfa117106d53542b0812173936902a4c7357bab9994c8ab08601e36f1324119c5f004085ea8bea3a2c1d200d4155d2fbb3b1afc924e383c2a092cf6dfa