Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 03:17
Static task
static1
Behavioral task
behavioral1
Sample
026eb02c34da452f7e5d4289c0be85b0.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
026eb02c34da452f7e5d4289c0be85b0.exe
Resource
win10v2004-20231215-en
General
-
Target
026eb02c34da452f7e5d4289c0be85b0.exe
-
Size
3.6MB
-
MD5
026eb02c34da452f7e5d4289c0be85b0
-
SHA1
cc71d0e6310534b1e4e51d894c811388b72b5812
-
SHA256
c769d18467a420260b285209c29bff106ccafc279f20dc602b9fc69d4e78c8ac
-
SHA512
0811f0593a8aed64a6e526f0addc18b9e575df4789d04f08c36a4fa6ad62e14d6a7ce1219972dafaed4a1f44fbddd063b4cb58144b748940a45ae682c208831c
-
SSDEEP
49152:6w6A5EYjP4F93TagGwmiS4rq+Ei88e76CjzOQmAqaAams:6w6A5EYjP1gPlBK8L3nLaA
Malware Config
Signatures
-
Ekans
Variant of Snake Ransomware. Targets ICS infrastructure, known to have been used against Honda in June 2020.
-
Ekans Ransomware 5 IoCs
Executable looks like Ekans ICS ransomware sample.
resource yara_rule behavioral1/files/0x000a000000012233-2.dat family_ekans behavioral1/files/0x000a000000012233-8.dat family_ekans behavioral1/files/0x000a000000012233-6.dat family_ekans behavioral1/files/0x000a000000012233-4.dat family_ekans behavioral1/files/0x000a000000012233-9.dat family_ekans -
Zebrocy Go Variant 5 IoCs
resource yara_rule behavioral1/files/0x000a000000012233-2.dat Zebrocy behavioral1/files/0x000a000000012233-8.dat Zebrocy behavioral1/files/0x000a000000012233-6.dat Zebrocy behavioral1/files/0x000a000000012233-4.dat Zebrocy behavioral1/files/0x000a000000012233-9.dat Zebrocy -
Executes dropped EXE 1 IoCs
pid Process 2500 dump.exe -
Loads dropped DLL 5 IoCs
pid Process 3036 026eb02c34da452f7e5d4289c0be85b0.exe 3036 026eb02c34da452f7e5d4289c0be85b0.exe 2680 WerFault.exe 2680 WerFault.exe 2680 WerFault.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 2388 3036 WerFault.exe 27 2680 2500 WerFault.exe 29 -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3036 wrote to memory of 2500 3036 026eb02c34da452f7e5d4289c0be85b0.exe 29 PID 3036 wrote to memory of 2500 3036 026eb02c34da452f7e5d4289c0be85b0.exe 29 PID 3036 wrote to memory of 2500 3036 026eb02c34da452f7e5d4289c0be85b0.exe 29 PID 3036 wrote to memory of 2500 3036 026eb02c34da452f7e5d4289c0be85b0.exe 29 PID 3036 wrote to memory of 2388 3036 026eb02c34da452f7e5d4289c0be85b0.exe 31 PID 3036 wrote to memory of 2388 3036 026eb02c34da452f7e5d4289c0be85b0.exe 31 PID 3036 wrote to memory of 2388 3036 026eb02c34da452f7e5d4289c0be85b0.exe 31 PID 3036 wrote to memory of 2388 3036 026eb02c34da452f7e5d4289c0be85b0.exe 31 PID 2500 wrote to memory of 2680 2500 dump.exe 32 PID 2500 wrote to memory of 2680 2500 dump.exe 32 PID 2500 wrote to memory of 2680 2500 dump.exe 32 PID 2500 wrote to memory of 2680 2500 dump.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\026eb02c34da452f7e5d4289c0be85b0.exe"C:\Users\Admin\AppData\Local\Temp\026eb02c34da452f7e5d4289c0be85b0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\dump.exedump.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 1043⤵
- Loads dropped DLL
- Program crash
PID:2680
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 1682⤵
- Program crash
PID:2388
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
576KB
MD54002a90a53220905d98f70eeb682215c
SHA157d13180229fb3c04fae616ac26cf92096541605
SHA256307d1bcf721d4d5d6845cf448ce4063e670454229ac6aea4a741c31e873d07c0
SHA51237594886de2df54ffa148006a13ffa197ceb600880438bc5849dddef74a0ae4e130d7909d8b5160b44c3a24d416366f31c2b97a474944732491d5381ae0d0c64
-
Filesize
472KB
MD53efac9f6acd6d01a0448d19478144c1c
SHA193e2d14219a6512980f240493528c118bd38d596
SHA256cd9f1796b523ca9ba9f30191fc34535a117ec1beff026e5d1ebed5169e3a144e
SHA512c6274e32cd18563e9a117e159bf2177d8b1d130057b62a1a39477cd243c738eb53430066600980e7cb1a2f7fa353f181481fe9ef412105ce20779b0020baa340
-
Filesize
768KB
MD50f1f83ff60b1a0a9f2f8e17f4b7ba954
SHA138a6d86cd910775d89fc94a0054570208b4a7cfe
SHA2565d94bde73c07856efc80424939f55d6916a45caf970192ad3fc0924b62ea2807
SHA512ff5f0e613dacaa9de03d28929d3f7c316677ea199f2daa80b8772fc33fef3e3e8791a6b5860d206f5d8e5eb37939340e4859b34838604ea3c717e17fb79d04ce
-
Filesize
704KB
MD5de9570c9a258c89f7037ae6e10178ea8
SHA109980c04d8c1ae67cf9c964fb92fbe80e19c79ca
SHA256406f4ca901c06c6baee7673fb89b94480adc6566766fd8deddd9f7269a137613
SHA5124be30fddc892a5f845dddb76110fad20f79420dd459a281d450014982fa30cb753ead65019b254d66d3d955bbc2a6bdbf8bc0abd0d963e90d9f030cd3eebb9fb
-
Filesize
3.6MB
MD5cdb98dd2476e88aa64ae9eaaf620fe01
SHA15fc5981b9fe0551bcfa9e829ebbbbdc62729ef9c
SHA25666d013b6fa644e65465e52c644ab7d183fad81239149169e844615240f14c79b
SHA512618b7cf9e4f04f3b992d4d919fb7cbec2e085edf6610d94c6b981f51df3f6454e39f2d24010d3be2db5fb193a37154bc7372e96bc4bf87e29c062e946bc829a7