Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3000.exe
windows7-x64
000.exe
windows10-1703-x64
000.exe
windows10-2004-x64
1000.exe
windows11-21h2-x64
Ana.exe
windows7-x64
8Ana.exe
windows10-1703-x64
7Ana.exe
windows10-2004-x64
Ana.exe
windows11-21h2-x64
Bad Rabit.exe
windows7-x64
10Bad Rabit.exe
windows10-1703-x64
10Bad Rabit.exe
windows10-2004-x64
10Bad Rabit.exe
windows11-21h2-x64
10Desktop Puzzle.exe
windows7-x64
1Desktop Puzzle.exe
windows10-1703-x64
1Desktop Puzzle.exe
windows10-2004-x64
1Desktop Puzzle.exe
windows11-21h2-x64
1Memz.exe
windows7-x64
6Memz.exe
windows10-1703-x64
7Memz.exe
windows10-2004-x64
Memz.exe
windows11-21h2-x64
6NoEscape.exe
windows7-x64
1NoEscape.exe
windows10-1703-x64
NoEscape.exe
windows10-2004-x64
NoEscape.exe
windows11-21h2-x64
WannaCrypt0r.exe
windows7-x64
10WannaCrypt0r.exe
windows10-1703-x64
10WannaCrypt0r.exe
windows10-2004-x64
10WannaCrypt0r.exe
windows11-21h2-x64
10Resubmissions
09/02/2025, 03:10
250209-dn49cstkez 1008/06/2024, 08:50
240608-krvyesae91 1008/05/2024, 16:15
240508-tqnx6ach3w 1008/05/2024, 16:07
240508-tkr3mafa54 1001/05/2024, 18:02
240501-wmf49acg3s 627/04/2024, 08:46
240427-kpfeysff8s 1025/04/2024, 21:25
240425-z9y55afb7v 1025/04/2024, 21:16
240425-z4pphafa97 1025/04/2024, 18:27
240425-w3929sde33 10Analysis
-
max time kernel
21s -
max time network
13s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19/04/2024, 10:18
Static task
static1
Behavioral task
behavioral1
Sample
000.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
000.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral3
Sample
000.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
000.exe
Resource
win11-20240412-en
windows11-21h2-x64
Behavioral task
behavioral5
Sample
Ana.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
Ana.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral7
Sample
Ana.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
Ana.exe
Resource
win11-20240412-en
windows11-21h2-x64
Behavioral task
behavioral9
Sample
Bad Rabit.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral10
Sample
Bad Rabit.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral11
Sample
Bad Rabit.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
Bad Rabit.exe
Resource
win11-20240412-en
windows11-21h2-x64
Behavioral task
behavioral13
Sample
Desktop Puzzle.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral14
Sample
Desktop Puzzle.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral15
Sample
Desktop Puzzle.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
Desktop Puzzle.exe
Resource
win11-20240412-en
windows11-21h2-x64
Behavioral task
behavioral17
Sample
Memz.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral18
Sample
Memz.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral19
Sample
Memz.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
Memz.exe
Resource
win11-20240412-en
windows11-21h2-x64
Behavioral task
behavioral21
Sample
NoEscape.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral22
Sample
NoEscape.exe
Resource
win10-20240319-en
windows10-1703-x64
Behavioral task
behavioral23
Sample
NoEscape.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
NoEscape.exe
Resource
win11-20240412-en
windows11-21h2-x64
Behavioral task
behavioral25
Sample
WannaCrypt0r.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral26
Sample
WannaCrypt0r.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral27
Sample
WannaCrypt0r.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
WannaCrypt0r.exe
Resource
win11-20240412-en
windows11-21h2-x64
Errors
General
-
Target
Memz.exe
-
Size
14KB
-
MD5
19dbec50735b5f2a72d4199c4e184960
-
SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822
-
SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
-
SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
-
SSDEEP
192:sIvxdXSQeWSg9JJS/lcIEiwqZKBkDFR43xWTM3LHn8f26gyr6yfFCj3r:sMVSaSEglcIqq3agmLc+6gyWqFCj
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation Memz.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 Memz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3276 Memz.exe 3276 Memz.exe 3276 Memz.exe 3276 Memz.exe 3980 Memz.exe 3980 Memz.exe 3980 Memz.exe 3028 Memz.exe 3980 Memz.exe 3028 Memz.exe 3276 Memz.exe 3276 Memz.exe 3980 Memz.exe 3980 Memz.exe 3276 Memz.exe 1912 Memz.exe 3276 Memz.exe 1912 Memz.exe 4088 Memz.exe 4088 Memz.exe 3028 Memz.exe 3028 Memz.exe 3980 Memz.exe 3980 Memz.exe 3028 Memz.exe 4088 Memz.exe 3028 Memz.exe 4088 Memz.exe 3276 Memz.exe 1912 Memz.exe 3276 Memz.exe 1912 Memz.exe 3980 Memz.exe 3980 Memz.exe 3980 Memz.exe 1912 Memz.exe 3980 Memz.exe 1912 Memz.exe 3276 Memz.exe 3276 Memz.exe 3028 Memz.exe 3028 Memz.exe 4088 Memz.exe 4088 Memz.exe 3980 Memz.exe 3980 Memz.exe 3980 Memz.exe 4088 Memz.exe 4088 Memz.exe 3980 Memz.exe 3028 Memz.exe 3028 Memz.exe 3276 Memz.exe 3276 Memz.exe 1912 Memz.exe 1912 Memz.exe 4088 Memz.exe 4088 Memz.exe 4088 Memz.exe 1912 Memz.exe 4088 Memz.exe 1912 Memz.exe 3276 Memz.exe 3276 Memz.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 4088 Memz.exe 3276 Memz.exe 3980 Memz.exe 1912 Memz.exe 3028 Memz.exe 3276 Memz.exe 4088 Memz.exe 3980 Memz.exe 3028 Memz.exe 1912 Memz.exe 3276 Memz.exe 4088 Memz.exe 1912 Memz.exe 3028 Memz.exe 3980 Memz.exe 3276 Memz.exe 4088 Memz.exe 1912 Memz.exe 3028 Memz.exe 3980 Memz.exe 3276 Memz.exe 4088 Memz.exe 1912 Memz.exe 3028 Memz.exe 3980 Memz.exe 3276 Memz.exe 4088 Memz.exe 1912 Memz.exe 3980 Memz.exe 3028 Memz.exe 3276 Memz.exe 3028 Memz.exe 4088 Memz.exe 1912 Memz.exe 3980 Memz.exe 3276 Memz.exe 3028 Memz.exe 3980 Memz.exe 1912 Memz.exe 4088 Memz.exe 3276 Memz.exe 4088 Memz.exe 3980 Memz.exe 1912 Memz.exe 3028 Memz.exe 3276 Memz.exe 3028 Memz.exe 1912 Memz.exe 3980 Memz.exe 4088 Memz.exe 3276 Memz.exe 4088 Memz.exe 3980 Memz.exe 1912 Memz.exe 3028 Memz.exe 3276 Memz.exe 3028 Memz.exe 1912 Memz.exe 4088 Memz.exe 3980 Memz.exe 3276 Memz.exe 4088 Memz.exe 3980 Memz.exe 1912 Memz.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2964 wrote to memory of 3276 2964 Memz.exe 88 PID 2964 wrote to memory of 3276 2964 Memz.exe 88 PID 2964 wrote to memory of 3276 2964 Memz.exe 88 PID 2964 wrote to memory of 3980 2964 Memz.exe 89 PID 2964 wrote to memory of 3980 2964 Memz.exe 89 PID 2964 wrote to memory of 3980 2964 Memz.exe 89 PID 2964 wrote to memory of 3028 2964 Memz.exe 90 PID 2964 wrote to memory of 3028 2964 Memz.exe 90 PID 2964 wrote to memory of 3028 2964 Memz.exe 90 PID 2964 wrote to memory of 4088 2964 Memz.exe 91 PID 2964 wrote to memory of 4088 2964 Memz.exe 91 PID 2964 wrote to memory of 4088 2964 Memz.exe 91 PID 2964 wrote to memory of 1912 2964 Memz.exe 92 PID 2964 wrote to memory of 1912 2964 Memz.exe 92 PID 2964 wrote to memory of 1912 2964 Memz.exe 92 PID 2964 wrote to memory of 3048 2964 Memz.exe 93 PID 2964 wrote to memory of 3048 2964 Memz.exe 93 PID 2964 wrote to memory of 3048 2964 Memz.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\Memz.exe"C:\Users\Admin\AppData\Local\Temp\Memz.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\Memz.exe"C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3276
-
-
C:\Users\Admin\AppData\Local\Temp\Memz.exe"C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3980
-
-
C:\Users\Admin\AppData\Local\Temp\Memz.exe"C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3028
-
-
C:\Users\Admin\AppData\Local\Temp\Memz.exe"C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4088
-
-
C:\Users\Admin\AppData\Local\Temp\Memz.exe"C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1912
-
-
C:\Users\Admin\AppData\Local\Temp\Memz.exe"C:\Users\Admin\AppData\Local\Temp\Memz.exe" /main2⤵
- Writes to the Master Boot Record (MBR)
PID:3048 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt3⤵PID:3148
-
-