Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25/02/2024, 18:56
Behavioral task
behavioral1
Sample
cbb.exe
Resource
win7-20240221-en
General
-
Target
cbb.exe
-
Size
12.8MB
-
MD5
3e41b5ad8570b7906097a9e1921309dc
-
SHA1
34f706deb8b2a01081517be2cd10eb66976c1a38
-
SHA256
f48879b4ac01e464508d3dee27e0af0abc126f9613fdb6f6c94cc53391002504
-
SHA512
043b5da0897d35618f1f91d3a68c19b2fb0200ad39f51d6fb97ead7ae3a29b2627149925946f7eb882e3dc2663a7d1721be0b9e0c6ecbacdc7e23d68096d28cb
-
SSDEEP
393216:7oVRY/m3pabY9c5hlERgAdZYyW0trc7K7j3CupDb:7oHYKoYEhkgAdZWCg7K7jyupDb
Malware Config
Signatures
-
Loads dropped DLL 3 IoCs
pid Process 2904 cbb.exe 1592 cbb.exe 660 cbb.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2848 timeout.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1100 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2772 wrote to memory of 2904 2772 cbb.exe 29 PID 2772 wrote to memory of 2904 2772 cbb.exe 29 PID 2772 wrote to memory of 2904 2772 cbb.exe 29 PID 1764 wrote to memory of 1592 1764 cbb.exe 36 PID 1764 wrote to memory of 1592 1764 cbb.exe 36 PID 1764 wrote to memory of 1592 1764 cbb.exe 36 PID 2624 wrote to memory of 836 2624 cmd.exe 44 PID 2624 wrote to memory of 836 2624 cmd.exe 44 PID 2624 wrote to memory of 836 2624 cmd.exe 44 PID 836 wrote to memory of 660 836 cbb.exe 45 PID 836 wrote to memory of 660 836 cbb.exe 45 PID 836 wrote to memory of 660 836 cbb.exe 45 PID 2624 wrote to memory of 2848 2624 cmd.exe 46 PID 2624 wrote to memory of 2848 2624 cmd.exe 46 PID 2624 wrote to memory of 2848 2624 cmd.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbb.exe"C:\Users\Admin\AppData\Local\Temp\cbb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\cbb.exe"C:\Users\Admin\AppData\Local\Temp\cbb.exe"2⤵
- Loads dropped DLL
PID:2904
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1768
-
C:\Users\Admin\AppData\Local\Temp\cbb.exe"C:\Users\Admin\AppData\Local\Temp\cbb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\cbb.exe"C:\Users\Admin\AppData\Local\Temp\cbb.exe"2⤵
- Loads dropped DLL
PID:1592
-
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\test.bat1⤵
- Opens file in notepad (likely ransom note)
PID:1100
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\test.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\cbb.execbb.exe2⤵
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Users\Admin\AppData\Local\Temp\cbb.execbb.exe3⤵
- Loads dropped DLL
PID:660
-
-
-
C:\Windows\system32\timeout.exetimeout /t 1002⤵
- Delays execution with timeout.exe
PID:2848
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4B
MD5365c9bfeb7d89244f2ce01c1de44cb85
SHA1d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1
-
Filesize
4.0MB
MD518bc52be61f619885a3764549fed13ae
SHA16ccbdb9192ee15945d830bebee4201839547e107
SHA256e2941bca223bbf101d03026712340c64fcf2b6d969c9fc6c7a72fd013160228a
SHA5126e0d0f63565d55e75223d90b824991007477ae85da4edc802bc14805aba9c2008f8eec8d4e6b5bd2f48acf89961b2bb069b1810f1d2cf2392f8c472325a584a7
-
Filesize
1.7MB
MD522e595677623498f74c6adc6502004ef
SHA1c63645823a8eb80d7954368594597e0022155107
SHA256fb2bc870c025a31f8dbd1163146fac5ced5c1e5f145ed21fc83d5c63d7b25b02
SHA512c279c6db8a9b41fd68a7d5be1ff8237154bcb2431cb3f4c344c6524c8e3b6617aae148ef78aa45e2e26ecbd8b184cfc931049cc67a08f97995ec4098597938e5
-
Filesize
25B
MD5f377f17f332a0fb94a8ce67684d5ce54
SHA1f7b8b4576f9db8f7ad28842e6626fe450f589e0a
SHA2569bc50d0d8feab5cbc603054a713f46293d4123b0f2e6f15468d90333f6de586c
SHA512f9fb2e8d6417bcf9324607260637d252d2b78aceec4f2abfb244b187f61427f8a8928d08f277f633680fb37dc3e1e2db00724eba466998fd10135269ba025216
-
Filesize
940KB
MD53b3637d1aac53551c1498dacfec78ca8
SHA113d1e8a957b749b295e4f1002c9b730177850a8e
SHA2562c346c7644c1632bedb5244938bff8f95e39e7d3393aa3e7b91e807d6d8f5378
SHA512732c0edce30e0ea6f99457706975e2e4d599a56e6cf57bc5c8dcf19f23cdb2993692ba4b0080112c6b6768e7f1f5d1e985fceadfed970abbc727b6f242ae75f2
-
Filesize
4.3MB
MD511c051f93c922d6b6b4829772f27a5be
SHA142fbdf3403a4bc3d46d348ca37a9f835e073d440
SHA2560eabf135bb9492e561bbbc5602a933623c9e461aceaf6eb1ceced635e363cd5c
SHA5121cdec23486cffcb91098a8b2c3f1262d6703946acf52aa2fe701964fb228d1411d9b6683bd54527860e10affc0e3d3de92a6ecf2c6c8465e9c8b9a7304e2a4a6