Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

3

52bd311d6e...dd.exe

windows7-x64

9

52bd311d6e...dd.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    05/08/2024, 21:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    52bd311d6e5381c07066678acc8150edbc63c6a697cb94e91e944a12766710dd.exe

  • Size

    539KB

  • MD5

    6a73584a7fe555203e71ac67472964cc

  • SHA1

    dcbf316fe9bdbfa4b94c147785ec0e272ce7ff55

  • SHA256

    52bd311d6e5381c07066678acc8150edbc63c6a697cb94e91e944a12766710dd

  • SHA512

    216b7efa47ae3caa9048ae149932b9b5aaf7fa288cffabb6789518ae457adcd5ac80032d56fc07caf3000dac18cfe67bdeb998665fc1a52f04cafb78fb1b41ef

  • SSDEEP

    6144:RqKvb0CYJ973e+eBSo54oAnjyDdU1sL8Lsw9g09Bp0cV07nNoTWwan7:vvbxYXyS8y+mm8YwBm7fn7

Score
9/10
discoveryransomware

Malware Config

Signatures

  • Renames multiple (3661) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\52bd311d6e5381c07066678acc8150edbc63c6a697cb94e91e944a12766710dd.exe
    "C:\Users\Admin\AppData\Local\Temp\52bd311d6e5381c07066678acc8150edbc63c6a697cb94e91e944a12766710dd.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:300
    • C:\Windows\SysWOW64\Zombie.exe
      "C:\Windows\system32\Zombie.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:2172
    • C:\Users\Admin\AppData\Local\Temp\_MpCmdRun.exe
      "_MpCmdRun.exe"
      2⤵
      • Executes dropped EXE
      PID:1744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2257386474-3982792636-3902186748-1000\desktop.ini.tmp
    Filesize

    86KB

    MD5

    8188a5f2993a7753df4678918328e2d3

    SHA1

    d8d544169011ca89fc4556ee8d889648c6032f09

    SHA256

    cd74debe09950011a4b3c326f252d06f12d4e9f1f6893cedb44f64194a4e39fd

    SHA512

    4250d64a6299e79443cc56dec9cec80e39e0d3cd887c8c9fa3d40b9c2fde7915df9fd04585030b8f667f6d38de9bec4b61e120140df8ccca7d3a279874a09de8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MpCmdRun.exe
    Filesize

    453KB

    MD5

    aa153bb98ec3f9e570624c51973ed8e3

    SHA1

    670edf4eeac09a1e44d6fe3ee7ed242007d1dae8

    SHA256

    b183a188f3d9e222da02cc8c222238ecae4b0b9280b2cf31fc82eb63a54c4106

    SHA512

    77545f077c74fcc2f074a16a7becdad1e94b06822c0ab788abf936c5d73fc3202b0f2882fe08ccfe23ced9f70a9f49f2b0f23a023ada4c5e49b888f5d427e009

    Download Submit

  • \Windows\SysWOW64\Zombie.exe
    Filesize

    85KB

    MD5

    0d7e41826fc9ca3854543db86a2d57ca

    SHA1

    d03a1723748a1ee092cf09eebc1d1db254d5d540

    SHA256

    2c915f47f055fc70088c508327f4228546eeedc2534ff732adbcd270849327c5

    SHA512

    21bad97a9ff1203fc5da329e43dbc652edba59eaef8a371f9e3a019d79c3d45d3a4b8aeee761f9b8fb9249ae2f9fbf3ee13f0fe77204e0850ff9e0dfc6512694

    Download Submit