Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12/03/2024, 17:25
Static task
static1
Behavioral task
behavioral1
Sample
c3ef9cb45f5cc4b446a43056ec73a48b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c3ef9cb45f5cc4b446a43056ec73a48b.exe
Resource
win10v2004-20240226-en
General
-
Target
c3ef9cb45f5cc4b446a43056ec73a48b.exe
-
Size
3.4MB
-
MD5
c3ef9cb45f5cc4b446a43056ec73a48b
-
SHA1
f9e774d51a2e869da2d153609b4fc3c2497dbc63
-
SHA256
8fd87bd55cdb46b5bee7e431fd7fe7da152a2ec0d511179afdab8fcd369bd036
-
SHA512
cb60efb057bae4764c3fb3ee3ae4da1ed95a72155dc7f9f28e7ded64e70a6643e33f0f8061fb69fbb7d8a18c869df76f8a9af692e954121fb9d7e75df9d19e31
-
SSDEEP
49152:OsmJOgW/G5HEJDI3pzZVKItiZlermD3jz/Tygr6tKyQtzyVhDpyLajBHj4f6gZBs:OsiWgn3XsI65//JG+CPbRjrgZQ0c
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RbgTuUdYak.exe c3ef9cb45f5cc4b446a43056ec73a48b.exe -
Executes dropped EXE 2 IoCs
pid Process 2632 RbgTuUdYak.exe 2616 RbgTuUdYak.exe -
Loads dropped DLL 6 IoCs
pid Process 2488 c3ef9cb45f5cc4b446a43056ec73a48b.exe 2488 c3ef9cb45f5cc4b446a43056ec73a48b.exe 2632 RbgTuUdYak.exe 2168 WerFault.exe 2168 WerFault.exe 2168 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2168 2616 WerFault.exe 31 -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 2616 RbgTuUdYak.exe 2616 RbgTuUdYak.exe 2616 RbgTuUdYak.exe 2616 RbgTuUdYak.exe 2616 RbgTuUdYak.exe 2616 RbgTuUdYak.exe 2616 RbgTuUdYak.exe 2616 RbgTuUdYak.exe 2616 RbgTuUdYak.exe 2616 RbgTuUdYak.exe 2616 RbgTuUdYak.exe 2616 RbgTuUdYak.exe 2616 RbgTuUdYak.exe 2616 RbgTuUdYak.exe 2616 RbgTuUdYak.exe 2616 RbgTuUdYak.exe 2616 RbgTuUdYak.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2020 wrote to memory of 2488 2020 c3ef9cb45f5cc4b446a43056ec73a48b.exe 28 PID 2020 wrote to memory of 2488 2020 c3ef9cb45f5cc4b446a43056ec73a48b.exe 28 PID 2020 wrote to memory of 2488 2020 c3ef9cb45f5cc4b446a43056ec73a48b.exe 28 PID 2020 wrote to memory of 2488 2020 c3ef9cb45f5cc4b446a43056ec73a48b.exe 28 PID 2488 wrote to memory of 2632 2488 c3ef9cb45f5cc4b446a43056ec73a48b.exe 30 PID 2488 wrote to memory of 2632 2488 c3ef9cb45f5cc4b446a43056ec73a48b.exe 30 PID 2488 wrote to memory of 2632 2488 c3ef9cb45f5cc4b446a43056ec73a48b.exe 30 PID 2488 wrote to memory of 2632 2488 c3ef9cb45f5cc4b446a43056ec73a48b.exe 30 PID 2632 wrote to memory of 2616 2632 RbgTuUdYak.exe 31 PID 2632 wrote to memory of 2616 2632 RbgTuUdYak.exe 31 PID 2632 wrote to memory of 2616 2632 RbgTuUdYak.exe 31 PID 2632 wrote to memory of 2616 2632 RbgTuUdYak.exe 31 PID 2616 wrote to memory of 2480 2616 RbgTuUdYak.exe 32 PID 2616 wrote to memory of 2480 2616 RbgTuUdYak.exe 32 PID 2616 wrote to memory of 2480 2616 RbgTuUdYak.exe 32 PID 2616 wrote to memory of 2480 2616 RbgTuUdYak.exe 32 PID 2616 wrote to memory of 2168 2616 RbgTuUdYak.exe 34 PID 2616 wrote to memory of 2168 2616 RbgTuUdYak.exe 34 PID 2616 wrote to memory of 2168 2616 RbgTuUdYak.exe 34 PID 2616 wrote to memory of 2168 2616 RbgTuUdYak.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3ef9cb45f5cc4b446a43056ec73a48b.exe"C:\Users\Admin\AppData\Local\Temp\c3ef9cb45f5cc4b446a43056ec73a48b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\c3ef9cb45f5cc4b446a43056ec73a48b.exe"C:\Users\Admin\AppData\Local\Temp\c3ef9cb45f5cc4b446a43056ec73a48b.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RbgTuUdYak.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RbgTuUdYak.exe" "C:\Users\Admin\AppData\Local\Temp\c3ef9cb45f5cc4b446a43056ec73a48b.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RbgTuUdYak.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RbgTuUdYak.exe" "C:\Users\Admin\AppData\Local\Temp\c3ef9cb45f5cc4b446a43056ec73a48b.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"5⤵PID:2480
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 2605⤵
- Loads dropped DLL
- Program crash
PID:2168
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5224f14bf4b0d5606a84aaa528f25cf23
SHA14ce686f559cf4d953dab964595a779bd75525c04
SHA256ac25b6be16c30ce41758afd1e2ca741a34f5560194d5b6a52116f51ac4f6f6bf
SHA512b857461cbac92725ae84ac02dacb34b4e3d1bfe4d796a48ea768507f32346f1e174b497e5899103abe1a0db6536ed29b439b16671acd5c1b457598a2f3d1bd52
-
Filesize
1.0MB
MD5fe9f734a2d720829819a93a7f8e8fd41
SHA1c17e8e57b1f730e47d12f6b526fdfc70f82be28e
SHA256afe1fd9cec3800f9db14852bf895d8bf9b4ae4f6eeb52651f1b0e25297b1a961
SHA5123195ae2ad24b3a1d6229de563b72644974e57f2078be1aab1d6064aa309ac85fedf900831f17808adecc2ffb46188a63e4848f8a1c0bec148551ae99d4ee5153
-
Filesize
1.2MB
MD539a674346ef180eeb158bcd0b2f90dcf
SHA121c781b12318ff83eecc7a74f1a2b46957faab43
SHA25682157d051988b1468e6e9ada9391b0a03da041fbc892bd38070c2851a7826081
SHA5120265b7ee0e824b6f91173ba754e5760050a906db8c47a4bd4b1eff27500f4a52ca519b5bca19971887c4f57203a6e56ad528ebe6b8e6a00e696a95c76b509c52
-
Filesize
1.1MB
MD506a098ba1c0626935b2c77530c31da2a
SHA1b9bf6e6e13e8e3ca597612d170d8fcba007f13a7
SHA2563010e98a5f4ac0c2412eccbec99049b7fa274e846b914a8b6a58bc61f62dd226
SHA51273e5bfd1055b65c12756414a2f07666e8cb46951fc46be753e347402ba7792eb6ab509f75ef2938c39db53f898b834186e513a30841132f8a154b66e9a468ba9
-
Filesize
991KB
MD5ddd43d87c5449af72d4bf7a104e9a465
SHA1b9ca2a5b9799d683daaa48e38535003bcf785a1b
SHA256957bee57ece51d4527000d31fdf19e6d27c3baf82fff8e1ac58bd494e62ee68c
SHA5121a7345de15e0f80664cd8e38158a415103287c34c4851c5f87a7dfe94cc8f7c9ae2dc9f8c66d4d96f62b2c4d7286f1b7e29775c836680d8052e450a9346ba48b
-
Filesize
3.4MB
MD54507cc5443f673d6482629a4b4b1c589
SHA15de1bc5f5c554aa8bf83e68e8b4edca8686842ca
SHA2567d8ccc12edeccc85d15ef2796b52ae9fe738269683bd6ef6f08524e78357e155
SHA5126e1a4062496c04b82d6aa004c119a2a7bdd081f8ce53db22c6d0e3cc4923ded056e93651dc7ce8111af5aeb76437b5e941438c49f3fc3285e5ddd66f0f0f1a83
-
Filesize
3.3MB
MD5a6d8b34dfcdf06e738e4470b0c6099ce
SHA159eef956a2bb16a014c84d8d99ee5ed726adbaa5
SHA2568a1807e076c63b485d83707cb99e93ea61042a0b2e5b1e08ff118f47afe68b6c
SHA512d81fd964e567612cb3f6256560d0857981b6cc648617b355297127399f1b04608a33e0a6c3d6abe03187f333b1a998b35fe256380786a43d486e4248c4ccf100
-
Filesize
2.1MB
MD5ee6a04ece478a21712e3e4468a3e5607
SHA1e48d83d22c2f3c72a6c63d07bec1bdbe2a802249
SHA25624f71a146aba0b7d28c631b4b8d1db7415a122ac5330138e99643b24cbf54755
SHA51285b626ca732fe4ceb41248abd7d350daaf27faceef687606745172c94b0191acdc12dcb32fa8b79fd2c8abd34dde18ca83dbeb19e2ee47bf0aa7ff89f5f99917
-
Filesize
1.1MB
MD504d02e5d3dd55651b0f7a26010b26dcb
SHA112f5a080d6ce0c2c277c85ce77764524bbac870a
SHA25688dc3207d0890fb392f02917a958b62f187d8935a128aaa3042e8f821dee6532
SHA512e1f38cb841a5a877f7160f377467f77559a1904e65acfc7cee750f674ed063e119c6acdf0f5a6c98768fdb6dd657a0f2cfc234582f52339a681e64a3f57388e5