Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
11/07/2024, 23:46
240711-3sg23azclr 1011/07/2024, 23:38
240711-3m8b3azapm 1011/07/2024, 23:35
240711-3lch1a1hpb 10Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
11/07/2024, 23:38
Behavioral task
behavioral1
Sample
get_cookies.pyc
Resource
win10v2004-20240709-en
Behavioral task
behavioral2
Sample
misc.pyc
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
source_prepared.pyc
Resource
win10v2004-20240709-en
General
-
Target
source_prepared.pyc
-
Size
65KB
-
MD5
65a0ac3b3123e17038508fc9b2b809eb
-
SHA1
75a35cfa1cf55038655253987ac55cbafe90ea67
-
SHA256
c50df877c6cec044c33e5c6591eb710bcd4d9014c2867bb22f885962977a37a4
-
SHA512
b35125cbae9d35e7bb15c5a49b4ec62bf8ed54c62defdcb4080f18e40df173385b2b78d1e2ca503f076a9e734f4528fecac97009068d7318768d4de4c187dba8
-
SSDEEP
1536:iaORgVgP9tXayBj1uYCFjU7x/IdBdoTupxU:YRg2/XVBkFw7xodop
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3556 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3980 OpenWith.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3556 NOTEPAD.EXE -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 3980 OpenWith.exe 3980 OpenWith.exe 3980 OpenWith.exe 3980 OpenWith.exe 3980 OpenWith.exe 3980 OpenWith.exe 3980 OpenWith.exe 3980 OpenWith.exe 3980 OpenWith.exe 3980 OpenWith.exe 3980 OpenWith.exe 3980 OpenWith.exe 3980 OpenWith.exe 3980 OpenWith.exe 3980 OpenWith.exe 3980 OpenWith.exe 3980 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3980 wrote to memory of 3556 3980 OpenWith.exe 92 PID 3980 wrote to memory of 3556 3980 OpenWith.exe 92
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc1⤵
- Modifies registry class
PID:2952
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc2⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:3556
-