Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
141s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
-
submitted
22/02/2024, 09:25
General
-
Target
File-Ready.or.Not.v41630_515227.exe
-
Size
27.5MB
-
MD5
44f38a48c3d18b99ebb434e8ed22728f
-
SHA1
0d2ed15ee98daf8ceaf2570786d12288b2e490be
-
SHA256
cde41e7f12e6c1eb4f5fc935c4dc706154eaea25b973b23754e8a0ebdc023767
-
SHA512
f77aa94ebc6c874619b6c74887d6faf0bdf53aa6cf0c7d26de1713cfbf3d9ebf68185975700cf1c4c912919f9c0a94042aed59fe3ef08f76f0d8a604a4898de8
-
SSDEEP
786432:huqpkq8b6McvEVrbYlXFoiM6ofQZTib6fzfHwSN2MbSZNjt3KWAv6C:KFfQZ86fTHwSN2MbSZXKW9C
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 2 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\File-Ready.or.Not.v41630_515227.exe"C:\Users\Admin\AppData\Local\Temp\File-Ready.or.Not.v41630_515227.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Roaming\FFmpeg\ffmpeg\bin\ffmpeg.exe"C:\Users\Admin\AppData\Roaming\FFmpeg\ffmpeg\bin\ffmpeg.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\FFmpeg\ffmpeg\bin\ffmpeg.exe"C:\Users\Admin\AppData\Roaming\FFmpeg\ffmpeg\bin\ffmpeg.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Roaming\FFmpeg\ffmpeg\LICENSE"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Roaming\FFmpeg\ffmpeg\LICENSE3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4512.0.1104155791\745148407" -parentBuildID 20221007134813 -prefsHandle 1772 -prefMapHandle 1764 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9a7092b-68a6-4c7d-b4f8-536996a7fbce} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 1852 25c3f3f1758 gpu4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4512.1.702475667\173268549" -parentBuildID 20221007134813 -prefsHandle 2236 -prefMapHandle 2232 -prefsLen 21563 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {158836c9-afdc-4e2e-becc-7932e43f369c} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 2248 25c3f2f2f58 socket4⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4512.2.928803235\2000224547" -childID 1 -isForBrowser -prefsHandle 2752 -prefMapHandle 2952 -prefsLen 21601 -prefMapSize 233444 -jsInitHandle 1036 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b0523a0-cfe0-4820-8175-eda84bd81dd2} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 2960 25c3f35da58 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4512.3.1409694049\300923940" -childID 2 -isForBrowser -prefsHandle 3568 -prefMapHandle 3564 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1036 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7cfced12-b7fb-4424-953c-97760e143f5f} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 3612 25c33362f58 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4512.6.1561495211\1844191342" -childID 5 -isForBrowser -prefsHandle 5256 -prefMapHandle 5260 -prefsLen 26298 -prefMapSize 233444 -jsInitHandle 1036 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe06ab02-051e-4eb3-96b4-28b7f2a99428} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 5248 25c46f1f358 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4512.5.112224481\1206087723" -childID 4 -isForBrowser -prefsHandle 5056 -prefMapHandle 5060 -prefsLen 26298 -prefMapSize 233444 -jsInitHandle 1036 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9af034f-0a8d-4625-960f-e7838d284204} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 4940 25c46f1e758 tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4512.4.1654344791\1065411546" -childID 3 -isForBrowser -prefsHandle 4884 -prefMapHandle 4876 -prefsLen 26298 -prefMapSize 233444 -jsInitHandle 1036 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fec5ca2-7e54-4e58-9c7c-cf316163d2d2} 4512 "\\.\pipe\gecko-crash-server-pipe.4512" 4920 25c4695ba58 tab4⤵
-
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\FFmpeg\ffmpeg\README.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5d32239bcb673463ab874e80d47fae504
SHA18624bcdae55baeef00cd11d5dfcfa60f68710a02
SHA2568ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903
SHA5127633623b66b5e686bb94dd96a7cdb5a7e5ee00e87004fab416a5610d59c62badaf512a2e26e34e2455b7ed6b76690d2cd47464836d7d85d78b51d50f7e933d5c
-
Filesize
38KB
MD505c7d5fdc667561828f764eb3d686889
SHA177eab2c4e756b8ea6c08d7983c10a499650e73fd
SHA25664638abe9d00547c03ea1a94ab0d6188f274fcb4fbe9b59981bfa67344918027
SHA5124de84fb664d1a51df427d9dc2f8a04b9138684038cb9ba29d8a93a9cca589eebc0d9e92d2c73ee3f973f36e5c1b974eee84b0a8d776458bd7ee7edd14b1df4d0
-
Filesize
18.5MB
MD5bc74144bb266d5f02f76b74fbd1cc7e7
SHA1e8a3ca9d3ec1fed3abcea179b63f218e105a5606
SHA256adf74962f986bf1b388b9c9df39e3ef0e0b71c5587c1dc5cacdb1004be1b6eab
SHA512049b55b335ceabda691abfa10cd943f1a4b418d5ac47e357daba07cd590a1b481b74ca67d7c103f08f36d7be71fa543fe978109ea8dcd49ef317b6207b97a6e2
-
Filesize
24.8MB
MD5635271accb3f1144a38b8ed884e0d59b
SHA1921b29dc890be268c37638117347febd6a205208
SHA25609e1227d3ad05b51a49c4f8dc81b0e56d97d81561a60521761e8950f7cc8c51f
SHA512b12afc87c1abf2511934be096194721faf47703ec7374716591f65c49260fd9da70ec1bb8fc489841beeb04e106c98f500daaa33e543e229b30829bf978c5e2c
-
Filesize
79.5MB
MD593f90473d66f13b4a1ec2095a29419b0
SHA188e4703b0db2cbcc3a74abb9b00698b2332ba639
SHA256f295229d77225196d9839475026da7a3459b420608656bceec84c39241c38798
SHA5126fbae98df0f2423a773a2f78870daca8eee40350eaae4ace9a282b1bd7e650281a0fdb2317a9d5e7f3c404603339002fc4ecb41af58a08bc70f02160dd7df996
-
Filesize
2KB
MD581d09978272e47b8e3396425f69cbd57
SHA1610aa4dd5baa4d8202d52559ea2035ba118499d1
SHA2560a6d1e13a54900c9c9b2b3b84372f2157a11cf38d355e72190b80419813813b4
SHA5125fbdc1f3eeb92ce321661a3329c04aa130d5f96da4c0726e453077da18940d53b7723261d2f2ee5edc1878585d282facc77f56fd4a961306495ef13af87ce6b2
-
Filesize
11KB
MD535577cdff679ca848fa7bd88f33e8d99
SHA1e7fb20903f2eab8f736762fa4c8d9980a5840efd
SHA256c8a5a952e9d952561cd804b1745a273de0c36681acb5ab9e75183b0c9ff5daa4
SHA5124c6ae8ec853717247efc5393fe49b6cf7c1cc37dd58b25506087044589508aa3388149213597e6e156041c9b943917df665907766a0c33548e5a7facd0de2320
-
Filesize
746B
MD544c06a85c306710408d88d3a64f5c137
SHA17678f7a50b62715069e8fdd765f900863169ab3e
SHA256e4dd2c073d0a66b5b5c53196f50593285765c523d8aa62722c2da74a3b723ad5
SHA5123ad5bb432015acbc01efe8ec42113d360a4bf1e130df21e413f71e8334d844b0d31089a69cbddc50127de22ec88f253a4a2133adf10e53af298b0d835f9e0569
-
Filesize
6KB
MD5192f9a3c94f102f1934affff6b9b08f9
SHA13b536f05d906e022be9abdbbd22f1a923cd248d1
SHA25625464d5d4a18abf381adb3a82be6d50ea9d70aa7f8bc2fe7cd1af2e2f4e00b11
SHA512f2cd74bda9667258d18d33683810616de9856492e03ce5d82053c48a189013440b6d04536726cc1f9ce315af03ba87040b87cec7ea9328bde25cecff3730447b
-
Filesize
924B
MD5965a5d76f89f58f57fdb89136e54b682
SHA1b988e9e0865873e50e6cee82584d34956e10b051
SHA25628f6dd03ce77c8f0ef2748bfe2870a279237c8bbfaeb372b07412267ebc1aa25
SHA512780e3ce9f3370a52edb5a321caf72e0ca40f98ff2f93743d877ef206d89c11f4f152c809b21a6277388d06c7f8d156fc4d7fd960d9415ba7108ca8e84156cdb0
-
Filesize
16.0MB