Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/01/2024, 05:51

General

  • Target

    7f0d560ba461f552ea079c1e8e1e9597.exe

  • Size

    438KB

  • MD5

    7f0d560ba461f552ea079c1e8e1e9597

  • SHA1

    18d46ac48d1c4e6ba873f0b3b4f2049c8b3b77c4

  • SHA256

    73c846a0f8625e95ae1ccb50fe41ada93bf891329beb9f21c2e920d77c014005

  • SHA512

    c1817cbaa8bef2d4b9e9909082b13d295f6628f7b7d6dc1780860d321216cc729bc42b5dd86f2191526fc030ebd924e00158b8ceca724d7a36da45089ebe5e79

  • SSDEEP

    6144:382p4pFHfzMepymgWPnviP6Koa0nArn20l96tCF2eKNBDRlC8HQQDhy5OwbYBwNe:Tp4pNfz3ymJnJ8QCFkxCaQTOlOb

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Renames multiple (5580) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops startup file 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7f0d560ba461f552ea079c1e8e1e9597.exe
    "C:\Users\Admin\AppData\Local\Temp\7f0d560ba461f552ea079c1e8e1e9597.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    PID:4292

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-1232405761-1209240240-3206092754-1000\desktop.ini.exe

    Filesize

    438KB

    MD5

    3f15fbe539e5898b481b0a613272ea69

    SHA1

    68e3adb13349f675f36992d37b84202b438d816d

    SHA256

    10a200e8ae0fcd5eab4b10e27c849decb5b7eeb3be49403f81ad9bd264c8fa96

    SHA512

    67db84a1d9f80e17ec088b600b96e9bfff2918eec30268ffe69fc7c989621ceeb24c51e34432dc998c883f4d2c02267e4ce9190ed4493d42403309238a76dd6c

  • C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

    Filesize

    1.2MB

    MD5

    727e92e9a59cbaea35bc57ba15bbaa8d

    SHA1

    a3ced10f5aa348b07702a47172d323e5c680e262

    SHA256

    ea5cccf6cc646f0c84a6f51b1377f6bb4d78a65c314ac1eb0a1f2405b3fc91bd

    SHA512

    2b7112cf4441fe02232116839bf270033d59888f70243bde520d28879b0c1834138a10e09797c1e280f9bb1f911ae6ebccf341090348734efcf3f84f57c7372d

  • F:\AUTORUN.INF

    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

  • memory/4292-0-0x0000000000670000-0x0000000000671000-memory.dmp

    Filesize

    4KB

  • memory/4292-8910-0x0000000000670000-0x0000000000671000-memory.dmp

    Filesize

    4KB