Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

bc41543926...18.zip

windows7-x64

1

Documents/...er.exe

windows7-x64

10

Documents/...ll.exe

windows7-x64

9

Documents/...aw.exe

windows7-x64

10

Documents/...ky.exe

windows7-x64

10

Documents/...31.exe

windows7-x64

1

Documents/...3 .exe

windows7-x64

7

Documents/...d9.dll

windows7-x64

10

Documents/...63b.gz

windows7-x64

3

Documents/...bin.gz

windows7-x64

3

Documents/...097.gz

windows7-x64

3

fe2e5d0543...L9.rtf

windows7-x64

4

Documents/...uy.hta

windows7-x64

10

Documents/...st.exe

windows7-x64

7

Documents/...39.exe

windows7-x64

6

Documents/...5c.exe

windows7-x64

6

Documents/...00.exe

windows7-x64

7

out.exe

windows7-x64

3

Documents/...16.zip

windows7-x64

1

Supplement...16.scr

windows7-x64

3

Documents/...ZSFwgb

windows7-x64

1

Documents/...96.exe

windows7-x64

Documents/...ed.exe

windows7-x64

Documents/...70.exe

windows7-x64

9

Documents/...67.exe

windows7-x64

10

Documents/...56.exe

windows7-x64

10

Documents/...ab.exe

windows7-x64

8

Documents/...3a.exe

windows7-x64

8

Documents/...73.exe

windows7-x64

8

Documents/...ry.zip

windows7-x64

1

ed01ebfbc9...aa.exe

windows7-x64

10

Documents/...aa.exe

windows7-x64

10

Resubmissions

22/08/2024, 18:43 UTC

240822-xc563asamh 10

21/08/2024, 17:16 UTC

240821-vtjnaathnq 10

30/06/2024, 00:59 UTC

240630-bcjr6svbkk 10

20/06/2024, 02:02 UTC

240620-cf43ysxbnk 10

20/06/2024, 01:44 UTC

240620-b5v1xawemk 10

19/06/2024, 01:10 UTC

240619-bjmseavfmp 10

18/06/2024, 20:40 UTC

240618-zfwsxawdpa 10

18/06/2024, 13:45 UTC

240618-q2vcjawdle 10

Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    18/06/2024, 20:40 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Documents/Ransomware.Matsnu/Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe

  • Size

    102KB

  • MD5

    1b2d2a4b97c7c2727d571bbf9376f54f

  • SHA1

    1fc29938ec5c209ba900247d2919069b320d33b0

  • SHA256

    7634433f8fcf4d13fb46d680802e48eeb160e0f51e228cae058436845976381e

  • SHA512

    506fc96423e5e2e38078806591e09a6eb3cf924eb748af528f7315aa0b929890823798a3ef2a5809c14023c3ff8a3db36277bc90c7b099218422aafa4e0c2ee0

  • SSDEEP

    1536:jj+Rj1lGIXKSmE17v97yiqHGMRPtbsLW8/V2k12v1/BDxVyCfCrCAc:jjw6Sf0iqmMnb2W02v3mCf4Nc

Score
7/10
persistenceupx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Matsnu\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
    "C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Matsnu\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Matsnu\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
      "C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Matsnu\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:804
      • C:\Windows\SysWOW64\explorer.exe
        explorer.exe
        3⤵
        • Deletes itself
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1940
        • C:\Users\Admin\AppData\Local\Temp\wczkcirnyb.pre
          C:\Users\Admin\AppData\Local\Temp\wczkcirnyb.pre
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2956
          • C:\Users\Admin\AppData\Local\Temp\wczkcirnyb.pre
            C:\Users\Admin\AppData\Local\Temp\wczkcirnyb.pre
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2908
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              6⤵
              • Adds Run key to start application
              PID:2468

Network

  • flag-us
    DNS
    nvufvwieg.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    nvufvwieg.com
    IN A
    Response
No results found
  • 8.8.8.8:53
    nvufvwieg.com
    dns
    svchost.exe
    59 B
     132 B
     1
    1

    DNS Request

    nvufvwieg.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\wczkcirnyb.pre
    Filesize

    102KB

    MD5

    1b2d2a4b97c7c2727d571bbf9376f54f

    SHA1

    1fc29938ec5c209ba900247d2919069b320d33b0

    SHA256

    7634433f8fcf4d13fb46d680802e48eeb160e0f51e228cae058436845976381e

    SHA512

    506fc96423e5e2e38078806591e09a6eb3cf924eb748af528f7315aa0b929890823798a3ef2a5809c14023c3ff8a3db36277bc90c7b099218422aafa4e0c2ee0

    Download Submit

  • memory/804-11-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/804-4-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/804-13-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/804-0-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/804-8-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/804-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/804-2-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/804-10-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/804-12-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1940-19-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1940-15-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1940-14-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2468-47-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2468-50-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2468-51-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2468-56-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2908-42-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2908-45-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.