Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

cryptolaemus

windows10-2004-x64

9

cryptolaemus

windows11-21h2-x64

9

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/08/2024, 08:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cd1837ab88989f53ec170c57f403d3712e4770494c2dac3a586e9d7503dcac48.exe

  • Size

    146KB

  • MD5

    7aeb2d5c828d7c8c6525ce7710c81d7f

  • SHA1

    d72bfaf7d9700beb02169c61373d1a11e3923138

  • SHA256

    cd1837ab88989f53ec170c57f403d3712e4770494c2dac3a586e9d7503dcac48

  • SHA512

    2081495f5e3b7614baa88bd61028d77bfca3e8dc980ec16506027d42131ae2364db074ce7e5c4842d54741909775611dd4664ec70446f83b770bc7627785127b

  • SSDEEP

    1536:ezICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDhhsfITrOOZUrDV17OK7jVUby/Y:FqJogYkcSNm9V7DiIdZc51r7jS1bT

Score
9/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (614) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cd1837ab88989f53ec170c57f403d3712e4770494c2dac3a586e9d7503dcac48.exe
    "C:\Users\Admin\AppData\Local\Temp\cd1837ab88989f53ec170c57f403d3712e4770494c2dac3a586e9d7503dcac48.exe"
    1⤵
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2436
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:4328
    • C:\ProgramData\A653.tmp
      "C:\ProgramData\A653.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:3952
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\A653.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2664
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:456
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3424
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{25000EFD-C2CB-4364-89E4-4F761F236916}.xps" 133678395627290000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of SetWindowsHookEx
        PID:4596

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini
      Filesize

      129B

      MD5

      21fd208410ea3c9b53890010f6ed0408

      SHA1

      7aaa78d478943b3933a7808f244599f4dcd04111

      SHA256

      7155e0297e2394f18f3e0223d9f975e26d87adab152f1bdace5668087ffc5864

      SHA512

      2456649f7e0886415cb9ef98a2fe26eea5b5837eda089ba327282e114e8ee3226ec6b2740c8eb2e33cf9cf33d2b813570320af3d1147ea9afa7bdc69a8a89c76

      Download Submit

    • C:\ProgramData\A653.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
      Filesize

      146KB

      MD5

      5f919d3190b47d547a29de7cbd115bfa

      SHA1

      296f029d76f370284937fb7d0ed30d30e7fd5a7d

      SHA256

      be769659eee41ed1ea1018268d1294c4ffd399536c2580220394f45b82b55569

      SHA512

      b8bd534524fb34d5f49447d3547dbefac55b0dffe121c76bf2b3b0b35584f337a45335bfcd62f7be53a86e7669666b579cb0a72cb6952c564ae43458ccf794ca

      Download Submit

    • C:\u67bPvnd7.README.txt
      Filesize

      596B

      MD5

      5427cd674e8f86faaa49f0e48a7d3fa5

      SHA1

      70f80c87a506eda9646345887e63fa11a054b03c

      SHA256

      d671f9a2b73aab36554a437560291b23aa012b2d7527609123778900bcccd68f

      SHA512

      b75fbbdc3769f2ac37a9d74755d4d1e5c47e7804319637e6fb7b0fb209c5b0aaf3a8c732fc4e6e7f69a92f34cca2b7980d3923b70a07ec3ee50cfe9813e4c65e

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2392887640-1187051047-2909758433-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      3cc55344b700834414744fd4ce46fcb7

      SHA1

      48dd6c744dd3bb4f8e6939745b21cdaae355a31b

      SHA256

      72de0bcd2b5b78153d4e4920386519197aa91bdc5b08005d44784311d315df84

      SHA512

      c0dfc64780dcba8bf8d2d07381d800db5711859e6085dadae6911965c41bb8087c0245887fb2b40368a9d6897060ff2b39729ab596113e91619918726d081865

      Download Submit

    • memory/2436-1-0x00000000028B0000-0x00000000028C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2436-2-0x00000000028B0000-0x00000000028C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2436-0-0x00000000028B0000-0x00000000028C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4596-2809-0x00007FFF55DF0000-0x00007FFF55E00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4596-2811-0x00007FFF55DF0000-0x00007FFF55E00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4596-2812-0x00007FFF55DF0000-0x00007FFF55E00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4596-2814-0x00007FFF55DF0000-0x00007FFF55E00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4596-2810-0x00007FFF55DF0000-0x00007FFF55E00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4596-2842-0x00007FFF53680000-0x00007FFF53690000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4596-2843-0x00007FFF53680000-0x00007FFF53690000-memory.dmp

      Filesize

      64KB

      Download