Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

07/08/2024, 11:26

240807-njvt8s1ekf 3

07/08/2024, 11:15

240807-ncnscaxgnm 7

Analysis

  • max time kernel
    1221s
  • max time network
    1150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/08/2024, 11:15

General

  • Target

    rc8

  • Size

    36B

  • MD5

    a1ca4bebcd03fafbe2b06a46a694e29a

  • SHA1

    ffc88125007c23ff6711147a12f9bba9c3d197ed

  • SHA256

    c3fa59901d56ce8a95a303b22fd119cb94abf4f43c4f6d60a81fd78b7d00fa65

  • SHA512

    6fe1730bf2a6bba058c5e1ef309a69079a6acca45c0dbca4e7d79c877257ac08e460af741459d1e335197cf4de209f2a2997816f2a2a3868b2c8d086ef789b0e

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
  • Modifies registry class 58 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\rc8
    1⤵
      PID:2236
    • C:\Windows\system32\notepad.exe
      "C:\Windows\system32\notepad.exe"
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2312
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1408
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\wirussss.bat" "
        1⤵
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2384
        • C:\Windows\system32\shutdown.exe
          shutdown -s -t 60 -c "Masz po kompoe"
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4404
        • C:\Windows\system32\taskkill.exe
          taskkill /f /pid explorer.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4428
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Trojan.txt
          2⤵
          • Opens file in notepad (likely ransom note)
          PID:2772

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Downloads\Trojan.txt

        Filesize

        32B

        MD5

        b688abf0e42b1a95fe617da9c841900b

        SHA1

        52bff9d7f1e2799351a9c0b6d3072849f222f693

        SHA256

        3718d31dff8c6804999f618778483fab5b81574ecdc1ded3f7393fe65b4c7f03

        SHA512

        5610cfceec920cda35a31eba5289a549d0f819aeab9b6a8de5dd658a18176a56ab69cc72f10b099ba582c3c31a8a02091e15005a7ae3d69abd689bfafacc2fa7

      • C:\Users\Admin\Downloads\wirussss.bat

        Filesize

        242B

        MD5

        fea4752c887c5132f225cf8ae6a2bf17

        SHA1

        5613bb163d9c91742f0f6d346d20f43d6aa38d48

        SHA256

        1d879500c30292efe20e06c43481f38ca57544f6712ea55bcb521dbc4ce8b1c7

        SHA512

        dfc312614bacb2783ad28a15e0866af6159fee4c6af178864cac2d251c012c5a8ff18edb635c615e1985ed08b3e8cb72bef79833943bfe57c3cc18df9f68c11a