Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

3

52bd311d6e...dd.exe

windows7-x64

9

52bd311d6e...dd.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/08/2024, 21:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    52bd311d6e5381c07066678acc8150edbc63c6a697cb94e91e944a12766710dd.exe

  • Size

    539KB

  • MD5

    6a73584a7fe555203e71ac67472964cc

  • SHA1

    dcbf316fe9bdbfa4b94c147785ec0e272ce7ff55

  • SHA256

    52bd311d6e5381c07066678acc8150edbc63c6a697cb94e91e944a12766710dd

  • SHA512

    216b7efa47ae3caa9048ae149932b9b5aaf7fa288cffabb6789518ae457adcd5ac80032d56fc07caf3000dac18cfe67bdeb998665fc1a52f04cafb78fb1b41ef

  • SSDEEP

    6144:RqKvb0CYJ973e+eBSo54oAnjyDdU1sL8Lsw9g09Bp0cV07nNoTWwan7:vvbxYXyS8y+mm8YwBm7fn7

Score
9/10
discoveryransomware

Malware Config

Signatures

  • Renames multiple (5036) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\52bd311d6e5381c07066678acc8150edbc63c6a697cb94e91e944a12766710dd.exe
    "C:\Users\Admin\AppData\Local\Temp\52bd311d6e5381c07066678acc8150edbc63c6a697cb94e91e944a12766710dd.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4464
    • C:\Windows\SysWOW64\Zombie.exe
      "C:\Windows\system32\Zombie.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:3660
    • C:\Users\Admin\AppData\Local\Temp\_MpCmdRun.exe
      "_MpCmdRun.exe"
      2⤵
      • Executes dropped EXE
      PID:2964

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.exe
    Filesize

    86KB

    MD5

    157fedd1bca72dcd9e8b741dcf868baf

    SHA1

    ccf564227b2bc464654c1b1ee04d4d0d623b7769

    SHA256

    ef948e0b1356646e709d45c064b82cf7a24ad245e0f564dc6c0e9c9b454d397b

    SHA512

    e331c999dc75f851de4b8166fd21a48b2e4e751f32875cef99068e36f3ede31fa4e568b714ccfb0bd625f28b18cf9e52ba6faccf29ee7ce7eb3635060abd9e58

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MpCmdRun.exe
    Filesize

    453KB

    MD5

    aa153bb98ec3f9e570624c51973ed8e3

    SHA1

    670edf4eeac09a1e44d6fe3ee7ed242007d1dae8

    SHA256

    b183a188f3d9e222da02cc8c222238ecae4b0b9280b2cf31fc82eb63a54c4106

    SHA512

    77545f077c74fcc2f074a16a7becdad1e94b06822c0ab788abf936c5d73fc3202b0f2882fe08ccfe23ced9f70a9f49f2b0f23a023ada4c5e49b888f5d427e009

    Download Submit

  • C:\Windows\SysWOW64\Zombie.exe
    Filesize

    85KB

    MD5

    0d7e41826fc9ca3854543db86a2d57ca

    SHA1

    d03a1723748a1ee092cf09eebc1d1db254d5d540

    SHA256

    2c915f47f055fc70088c508327f4228546eeedc2534ff732adbcd270849327c5

    SHA512

    21bad97a9ff1203fc5da329e43dbc652edba59eaef8a371f9e3a019d79c3d45d3a4b8aeee761f9b8fb9249ae2f9fbf3ee13f0fe77204e0850ff9e0dfc6512694

    Download Submit