Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 03:17

General

  • Target

    026eb02c34da452f7e5d4289c0be85b0.exe

  • Size

    3.6MB

  • MD5

    026eb02c34da452f7e5d4289c0be85b0

  • SHA1

    cc71d0e6310534b1e4e51d894c811388b72b5812

  • SHA256

    c769d18467a420260b285209c29bff106ccafc279f20dc602b9fc69d4e78c8ac

  • SHA512

    0811f0593a8aed64a6e526f0addc18b9e575df4789d04f08c36a4fa6ad62e14d6a7ce1219972dafaed4a1f44fbddd063b4cb58144b748940a45ae682c208831c

  • SSDEEP

    49152:6w6A5EYjP4F93TagGwmiS4rq+Ei88e76CjzOQmAqaAams:6w6A5EYjP1gPlBK8L3nLaA

Malware Config

Signatures

  • Ekans

    Variant of Snake Ransomware. Targets ICS infrastructure, known to have been used against Honda in June 2020.

  • Ekans Ransomware 5 IoCs

    Executable looks like Ekans ICS ransomware sample.

  • Zebrocy

    Zebrocy is a backdoor created by Sofacy threat group and has multiple variants developed in different languages.

  • Zebrocy Go Variant 5 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\026eb02c34da452f7e5d4289c0be85b0.exe
    "C:\Users\Admin\AppData\Local\Temp\026eb02c34da452f7e5d4289c0be85b0.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Users\Admin\AppData\Local\Temp\dump.exe
      dump.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2500
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 104
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2680
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 168
      2⤵
      • Program crash
      PID:2388

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\dump.exe

    Filesize

    576KB

    MD5

    4002a90a53220905d98f70eeb682215c

    SHA1

    57d13180229fb3c04fae616ac26cf92096541605

    SHA256

    307d1bcf721d4d5d6845cf448ce4063e670454229ac6aea4a741c31e873d07c0

    SHA512

    37594886de2df54ffa148006a13ffa197ceb600880438bc5849dddef74a0ae4e130d7909d8b5160b44c3a24d416366f31c2b97a474944732491d5381ae0d0c64

  • C:\Users\Admin\AppData\Local\Temp\dump.exe

    Filesize

    472KB

    MD5

    3efac9f6acd6d01a0448d19478144c1c

    SHA1

    93e2d14219a6512980f240493528c118bd38d596

    SHA256

    cd9f1796b523ca9ba9f30191fc34535a117ec1beff026e5d1ebed5169e3a144e

    SHA512

    c6274e32cd18563e9a117e159bf2177d8b1d130057b62a1a39477cd243c738eb53430066600980e7cb1a2f7fa353f181481fe9ef412105ce20779b0020baa340

  • \Users\Admin\AppData\Local\Temp\dump.exe

    Filesize

    768KB

    MD5

    0f1f83ff60b1a0a9f2f8e17f4b7ba954

    SHA1

    38a6d86cd910775d89fc94a0054570208b4a7cfe

    SHA256

    5d94bde73c07856efc80424939f55d6916a45caf970192ad3fc0924b62ea2807

    SHA512

    ff5f0e613dacaa9de03d28929d3f7c316677ea199f2daa80b8772fc33fef3e3e8791a6b5860d206f5d8e5eb37939340e4859b34838604ea3c717e17fb79d04ce

  • \Users\Admin\AppData\Local\Temp\dump.exe

    Filesize

    704KB

    MD5

    de9570c9a258c89f7037ae6e10178ea8

    SHA1

    09980c04d8c1ae67cf9c964fb92fbe80e19c79ca

    SHA256

    406f4ca901c06c6baee7673fb89b94480adc6566766fd8deddd9f7269a137613

    SHA512

    4be30fddc892a5f845dddb76110fad20f79420dd459a281d450014982fa30cb753ead65019b254d66d3d955bbc2a6bdbf8bc0abd0d963e90d9f030cd3eebb9fb

  • \Users\Admin\AppData\Local\Temp\dump.exe

    Filesize

    3.6MB

    MD5

    cdb98dd2476e88aa64ae9eaaf620fe01

    SHA1

    5fc5981b9fe0551bcfa9e829ebbbbdc62729ef9c

    SHA256

    66d013b6fa644e65465e52c644ab7d183fad81239149169e844615240f14c79b

    SHA512

    618b7cf9e4f04f3b992d4d919fb7cbec2e085edf6610d94c6b981f51df3f6454e39f2d24010d3be2db5fb193a37154bc7372e96bc4bf87e29c062e946bc829a7