Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

3

4758ecb9c5...0N.exe

windows7-x64

9

4758ecb9c5...0N.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    120s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/08/2024, 03:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4758ecb9c5aac5de1be72f3a0cf87bf0N.exe

  • Size

    193KB

  • MD5

    4758ecb9c5aac5de1be72f3a0cf87bf0

  • SHA1

    3451c2dc6cb9bc9233f021461b409824cb2d6976

  • SHA256

    584f59f339694e4423ef8ab1cff4d993a59f6ebdcdbb0548bc02eb8fee503e65

  • SHA512

    2b93ed304134281e2d33902d1a32a52c207c93802b0719c15499e43ec021c384a5809ea603c1a00454dadaac0b15c5ae84cab57cf47a32f0ca448442c6566c92

  • SSDEEP

    3072:6e7WpvR9vHpKmEGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2ixMl:RqH9/pKvShcHUax

Score
9/10
discoveryransomware

Malware Config

Signatures

  • Renames multiple (4618) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4758ecb9c5aac5de1be72f3a0cf87bf0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4758ecb9c5aac5de1be72f3a0cf87bf0N.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4480
    • C:\Users\Admin\AppData\Local\Temp\_cup.exe
      "_cup.exe"
      2⤵
      • Executes dropped EXE
      PID:4508
    • C:\Windows\SysWOW64\Zombie.exe
      "C:\Windows\system32\Zombie.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:3956

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2927035347-1736702767-189270196-1000\desktop.ini.exe
    Filesize

    50KB

    MD5

    5f488e8b5b797b3e27a610a81110c1a2

    SHA1

    568e6cd7e2a934164cb5b9e7472d8f7b57ac334a

    SHA256

    39e97aeae89a794a9bbe2c330cede8f1450f77f4c4c5ef58a5bf3d9eb723b242

    SHA512

    f2f374ef5d2b6f705d76ecbeb11a9dea0b2e721af005a281c93e15beacec47f2d9918d29fe7be1e49e42c410d06cca97880bf264400dc9402f09b69c8926c633

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_cup.exe
    Filesize

    143KB

    MD5

    38f108cddb6619fba80f8382d5227ece

    SHA1

    12fd277bf756f22cfae3043900e4aff8b9f05ed9

    SHA256

    8296fe257b8c34398e3f291764454ec3cd9cbe06d60989b632ef4ba6c73ae5dc

    SHA512

    3db732c23f10122c78cffc6b6a5b11836ade1a23f5c6f9a192f2be2fa99c5bd7afb7a9e29c5d518a888cdd2091f9ac41b244214be226152830e96f5ec2cca424

    Download Submit

  • C:\Windows\SysWOW64\Zombie.exe
    Filesize

    49KB

    MD5

    57878399cc044912af7231f7cc2375cb

    SHA1

    e146c9fedad527380d2fbe15b605dad66a611a9e

    SHA256

    44ca47ec630156ed781298c2c0129ce3dc987a08fc633aaa2097a7dfc325151d

    SHA512

    1c27bcadfbc7259acae1e5d5affb46fb48bd12391cb7c11ad6d4a104d5375ace55440a0c2ff31de7130b18babf76834d917a1bce48332d3e86612ec81ba17be6

    Download Submit

  • memory/4508-20-0x00007FFD707D3000-0x00007FFD707D5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4508-19-0x00000000007F0000-0x0000000000818000-memory.dmp

    Filesize

    160KB

    Download