Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08/08/2024, 18:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe
Resource
win7-20240708-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe
-
Size
198KB
-
MD5
ecb392115be62d9994b4bbc1d8412dea
-
SHA1
2cf640865c92733e64d615a6b13ef97b8a941715
-
SHA256
0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c
-
SHA512
94de20af5894c6656b57007fb62e21ddbc28feeafd2ea0396762eab229752b454f79e99a68aa739bd39cf798ea1463417dd1ee4ae639cb6adc71fc6425439b07
-
SSDEEP
768:W7BlphA7pARFbhKKVeIuKVeIaCgx+qsaCgx+qs9lRlCE:W7ZhA7pApaX0aX09rB
Score
9/10
Malware Config
Signatures
-
Renames multiple (4787) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.dll.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.Local.dll.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Java\jdk-1.8\jre\COPYRIGHT.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Java\jre-1.8\lib\deploy\splash_11-lic.gif.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul.xrm-ms.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\7-Zip\Lang\tr.txt.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL016.XML.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.AppContext.dll.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.DataContractSerialization.dll.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationCore.resources.dll.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClient.resources.dll.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\offsymb.ttf.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-heap-l1-1-0.dll.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\mshwLatin.dll.mui.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.dll.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Georgia.xml.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ul-oob.xrm-ms.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-conio-l1-1-0.dll.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-string-l1-1-0.dll.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_ja.properties.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-phn.xrm-ms.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-pl.xrm-ms.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\InputPersonalization.exe.mui.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-140.png.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11wrapper.md.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.dll.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Java\jre-1.8\lib\ext\nashorn.jar.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.dll.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\msipc.dll.mui.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL112.XML.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClient.resources.dll.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Java\jre-1.8\bin\j2pkcs11.dll.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ppd.xrm-ms.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ppd.xrm-ms.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.OpenSsl.dll.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Common Files\System\ado\msado60.tlb.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.Design.resources.dll.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-pl.xrm-ms.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-phn.xrm-ms.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ppd.xrm-ms.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Common Files\microsoft shared\ink\IpsPlugin.dll.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\te.pak.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\msvcp140.dll.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Java\jre-1.8\lib\jce.jar.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Paper.xml.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ppd.xrm-ms.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.Common.dll.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll.tmp 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe"C:\Users\Admin\AppData\Local\Temp\0de881bcefca6fd9abc7e1580e86c46922723837f86cbd7f485046c64398fd9c.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5052
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
198KB
MD51e99654c3ff1131055df7edd2533b257
SHA10be371e526bd63df7977461a9f369b12171a9201
SHA256dda4d3f247dfa0f33ea3fad99a73f12557bac0455b5e54c1fe16bf3fa89e1cee
SHA512d611793957a4789ce3e1326747a9ea72aefc5a3d8767cf7658463dc9392a6c8247dc3af9613ee2b4fc0447352ec38bf7b86b133d57a080e55a50b39eb40e69ba
-
Filesize
297KB
MD5c89b0a2cd60e4e41dae25de935927d88
SHA1c7093f8a21976a75abb1dde3f25743f9856fa0ec
SHA2569481dfac4ebf031b68ac94bb5d96034f6bc3827a04ebd4a769509437f9585fe7
SHA5126e1eccb61f0ce20e81f610b197b158441620dbcf43bbd2caf0b72c2a4a068d76df04e9bd67a0027bde5a76a6fda28f875a2e033f05d0490ef16408b988e1797c