Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

cryptolaemus

windows10-2004-x64

9

cryptolaemus

windows11-21h2-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    11/08/2024, 08:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cd1837ab88989f53ec170c57f403d3712e4770494c2dac3a586e9d7503dcac48.exe

  • Size

    146KB

  • MD5

    7aeb2d5c828d7c8c6525ce7710c81d7f

  • SHA1

    d72bfaf7d9700beb02169c61373d1a11e3923138

  • SHA256

    cd1837ab88989f53ec170c57f403d3712e4770494c2dac3a586e9d7503dcac48

  • SHA512

    2081495f5e3b7614baa88bd61028d77bfca3e8dc980ec16506027d42131ae2364db074ce7e5c4842d54741909775611dd4664ec70446f83b770bc7627785127b

  • SSDEEP

    1536:ezICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDhhsfITrOOZUrDV17OK7jVUby/Y:FqJogYkcSNm9V7DiIdZc51r7jS1bT

Score
9/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (612) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 63 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cd1837ab88989f53ec170c57f403d3712e4770494c2dac3a586e9d7503dcac48.exe
    "C:\Users\Admin\AppData\Local\Temp\cd1837ab88989f53ec170c57f403d3712e4770494c2dac3a586e9d7503dcac48.exe"
    1⤵
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4056
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:4408
    • C:\ProgramData\DD9F.tmp
      "C:\ProgramData\DD9F.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2136
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\DD9F.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2868
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:3544
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:428
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{D9FA9783-7819-493E-94A2-C004FED5053A}.xps" 133678395628050000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:3588

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-2842058299-443432012-2465494467-1000\desktop.ini
      Filesize

      129B

      MD5

      11a3c2332a25feaa3ad9ec3d8b09ff67

      SHA1

      1b44f5fd4a9a7d806bbd8b17b31aa102714d060b

      SHA256

      359e262586683a24241248c5c3e856d5cff22a4d7b3e7ae16da0aa164e65d478

      SHA512

      7297d087bc16751c50aa06e435cab2a6a1ddb1880d8e17cd67ee726e31d5b18c2170c2c875f17b93c36b26765c66bf8b857816fdecb206799241f3ab1f403cf3

      Download Submit

    • C:\ProgramData\DD9F.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT
      Filesize

      146KB

      MD5

      3c0a708dba57ca5ff0b617bbf55d983a

      SHA1

      b76059cea79503be65c2857820440dde55c60622

      SHA256

      103ca74c139ccb37fe122f06b0b7c8901f4cb112e71344b49d8c32a88685376d

      SHA512

      c346b0bb1eba1a16598364134c817b2b191d9dc3b1017d90feb7a1563e73ddab2833176dfdfdefb8c215f6e9f3aa3421b0fa5eab00ac0af68578241ec29b74da

      Download Submit

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
      Filesize

      4KB

      MD5

      c28c7fa458feb07b402dae0f36e8da58

      SHA1

      d3e1d44029964ed60834b7fdc32a18e9a1612c84

      SHA256

      492acb4f37f3dc128d585ad7564196a4e87c9d5904b9f26cfe1c15baa8d00a4e

      SHA512

      e5a95cc140bb6277403b35905620705dd4ebb2f8daaef588af9d7d3fbf3c833ebeee7244d91ac54e01ef78601bce87be93302b69855a72c3ac3066df07a67064

      Download Submit

    • C:\u67bPvnd7.README.txt
      Filesize

      596B

      MD5

      5427cd674e8f86faaa49f0e48a7d3fa5

      SHA1

      70f80c87a506eda9646345887e63fa11a054b03c

      SHA256

      d671f9a2b73aab36554a437560291b23aa012b2d7527609123778900bcccd68f

      SHA512

      b75fbbdc3769f2ac37a9d74755d4d1e5c47e7804319637e6fb7b0fb209c5b0aaf3a8c732fc4e6e7f69a92f34cca2b7980d3923b70a07ec3ee50cfe9813e4c65e

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2842058299-443432012-2465494467-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      3e65e6897057e851128c2c69b779ebe9

      SHA1

      12e54c95299836e28594b996f72f235bf16630f4

      SHA256

      02e0a245e17efcda5007c6fba7c38a7cc90e821cf880673b395c1a8de7fa1c18

      SHA512

      e783fea2215e2b9d50fc8e8c47123790fb1e50fd4aac804d5d02ab61556389e7550510893fad47a4ba9b279affddb3e8e9e6793c5c8449f9e8de6bce60a90f14

      Download Submit

    • memory/3588-2825-0x00007FFA75950000-0x00007FFA75960000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3588-2824-0x00007FFA75950000-0x00007FFA75960000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3588-2823-0x00007FFA75950000-0x00007FFA75960000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3588-2822-0x00007FFA75950000-0x00007FFA75960000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3588-2826-0x00007FFA75950000-0x00007FFA75960000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3588-2855-0x00007FFA73730000-0x00007FFA73740000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3588-2856-0x00007FFA73730000-0x00007FFA73740000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4056-2-0x00000000029E0000-0x00000000029F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4056-0-0x00000000029E0000-0x00000000029F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4056-1-0x00000000029E0000-0x00000000029F0000-memory.dmp

      Filesize

      64KB

      Download