Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

16bdae8ef0...c1.exe

windows7-x64

7

16bdae8ef0...c1.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2023, 11:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    16bdae8ef0df9f8a7d00c2894f1eb4c1.exe

  • Size

    2.0MB

  • MD5

    16bdae8ef0df9f8a7d00c2894f1eb4c1

  • SHA1

    e1526c10cebb997cd774b76f5fac8ff85c2f7659

  • SHA256

    41d1925957031e9caee9014b69e59007354719a35bdad1f01e05231977d1ba2b

  • SHA512

    05341efbdcfd05bb040c188f917c784697e452cc5d36854da04e86494cd8a3480a8fce0f33312e7a3ce1d61dd9797ce0f64ae7e1f9d7f234000744345f5c51c6

  • SSDEEP

    49152:OFUcx88PWPOpX0SFlSqbBVcS4pnUi4mu0M8bDwlZQnzei60rNVyGc:O+K88uPCHbSqb0JUmA8bDe+C4yGc

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\16bdae8ef0df9f8a7d00c2894f1eb4c1.exe
    "C:\Users\Admin\AppData\Local\Temp\16bdae8ef0df9f8a7d00c2894f1eb4c1.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4980
    • C:\Users\Admin\AppData\Local\Temp\4C7A.tmp
      "C:\Users\Admin\AppData\Local\Temp\4C7A.tmp" --splashC:\Users\Admin\AppData\Local\Temp\16bdae8ef0df9f8a7d00c2894f1eb4c1.exe FB227B165102050FC8685CE45125A196804DC8A7D148B258C17D942245897CA5AD6022546663AEAC92AE4DF31B8BEAD2680A669941DA0E864B96C4EB2217C031
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1520
      • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\16bdae8ef0df9f8a7d00c2894f1eb4c1.docx" /o ""
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:3452

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\16bdae8ef0df9f8a7d00c2894f1eb4c1.docx
    Filesize

    19KB

    MD5

    4046ff080673cffac6529512b8d3bdbb

    SHA1

    d3cbc39065b7a55e995fa25397da2140bdac80c1

    SHA256

    f0c1b360c0b24b5450a79138650e6ee254afae6ce8f6c68da7d1f32f91582680

    SHA512

    453f70730b7560e3d3e23ddfa0fe74e014753f8b34b45254c1c0cf5fec0546a2b8b109a4f9d096e91711b6d02cb383a7136c2cb7bd6600d0598acf7c90c25418

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\4C7A.tmp
    Filesize

    832KB

    MD5

    f1f246f47f21accb9a3ee707a68597cb

    SHA1

    7742fc2a0fd461764cd713c969e395c195240b61

    SHA256

    8d7691d4d4bd333c3bc22bd85def2530477b5d5e7e848f81711a196aa796174a

    SHA512

    785d58cb636ab079cec6fa34f33ebeb4307a58416288cac0f847405bda4379367f4ef2e96e844ac7fca044fda18580b40003b0fed8e5a88b6576062a7e2923b7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\4C7A.tmp
    Filesize

    365KB

    MD5

    2a911156a40b1404ba07e1935ca4307c

    SHA1

    d5dd8a18e4d22577e63b275d0082764b7b658e0c

    SHA256

    8cf14c5555412ca879eba5e3573990d70180b0375e354ade9365ca71f878e992

    SHA512

    be1b6b057a58df97daeb81b28adf42435a0257c801c26446120848fd3f21c2e6876c74a9df8b8e4d91dcd08731118ad3c942925dba8ea0bafea882d374eb26b2

    Download Submit

  • memory/1520-5-0x0000000000400000-0x0000000000606000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3452-14-0x00007FFA428F0000-0x00007FFA42900000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3452-21-0x00007FFA82870000-0x00007FFA82A65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3452-13-0x00007FFA428F0000-0x00007FFA42900000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3452-11-0x00007FFA428F0000-0x00007FFA42900000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3452-15-0x00007FFA82870000-0x00007FFA82A65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3452-16-0x00007FFA428F0000-0x00007FFA42900000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3452-17-0x00007FFA82870000-0x00007FFA82A65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3452-19-0x00007FFA82870000-0x00007FFA82A65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3452-18-0x00007FFA428F0000-0x00007FFA42900000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3452-20-0x00007FFA82870000-0x00007FFA82A65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3452-45-0x00007FFA82870000-0x00007FFA82A65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3452-12-0x00007FFA82870000-0x00007FFA82A65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3452-22-0x00007FFA82870000-0x00007FFA82A65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3452-24-0x00007FFA82870000-0x00007FFA82A65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3452-26-0x00007FFA82870000-0x00007FFA82A65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3452-25-0x00007FFA82870000-0x00007FFA82A65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3452-23-0x00007FFA82870000-0x00007FFA82A65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3452-27-0x00007FFA40800000-0x00007FFA40810000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3452-28-0x00007FFA82870000-0x00007FFA82A65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3452-29-0x00007FFA82870000-0x00007FFA82A65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3452-30-0x00007FFA82870000-0x00007FFA82A65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3452-31-0x00007FFA82870000-0x00007FFA82A65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3452-32-0x00007FFA40800000-0x00007FFA40810000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4980-0-0x0000000000400000-0x0000000000606000-memory.dmp

    Filesize

    2.0MB

    Download