Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
310s -
max time network
315s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2024, 19:38
Behavioral task
behavioral1
Sample
p22d-1.3.1.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
p22d-1.3.1.exe
Resource
win10v2004-20240319-en
Behavioral task
behavioral3
Sample
notep22d.pyc
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
notep22d.pyc
Resource
win10v2004-20240226-en
General
-
Target
notep22d.pyc
-
Size
21KB
-
MD5
ac2704785361dcd146f0b52812d882ff
-
SHA1
31b54bab53f53bcdf36e458ce6dd4da9457097d5
-
SHA256
0702b05fa31c6271b2b403bbee9c629cb3708dddfaa65451a4c25f6865ee2de3
-
SHA512
b5a5c1d69dca308e3348058b8ff898b9c8fd9dd6f7e1fcf5683775a69fc3363a451a2e17a1f99a86cfebe02d2be3104062d67373148de89231696500c8be5fed
-
SSDEEP
384:QBiCVAAPs6a6EEToCGgEfeelnz7kvZSmH65gJKzM1Z:Q0CaACR6oDz7kvZiyJKzC
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3964 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2864 OpenWith.exe -
Suspicious use of SetWindowsHookEx 39 IoCs
pid Process 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe 2864 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2864 wrote to memory of 3964 2864 OpenWith.exe 98 PID 2864 wrote to memory of 3964 2864 OpenWith.exe 98
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\notep22d.pyc1⤵
- Modifies registry class
PID:1736
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\notep22d.pyc2⤵
- Opens file in notepad (likely ransom note)
PID:3964
-