Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

3

host.exe

windows7-x64

9

host.exe

windows10-2004-x64

9

update.exe

windows7-x64

9

update.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    139s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/08/2024, 12:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    update.exe

  • Size

    16KB

  • MD5

    af87d850a15f1fbde5e824116e1f174b

  • SHA1

    9d704094e5f7386104dc5b7b155768fbac9fc0f9

  • SHA256

    11863fecf89dd0fd635456d680fa4a268d9f63dc5a76093fbb79c6686d5ae17b

  • SHA512

    b0962ca6b3f96defd0b34c723bf13ec35cbda1ed5551ac41ee0ef04fffb799284ad7e4324c856443f14511b7ee83dc2bdc5588c6d6a87050ac4344c4d08c13b3

  • SSDEEP

    384:K0sAA+LPsuTnVshZ9hA+b3Qj5MRjVpV/QBOIjLbd:KaV/+b3N3pV/yb

Score
9/10
discoveryransomware

Malware Config

Signatures

  • Renames multiple (840) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops file in Drivers directory 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\update.exe
    "C:\Users\Admin\AppData\Local\Temp\update.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4888
    • C:\Users\Admin\AppData\Local\Temp\update.exe
      "C:\Users\Admin\AppData\Local\Temp\update.exe" --foodsum
      2⤵
      • Drops file in Drivers directory
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:756

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui.abc
    Filesize

    3KB

    MD5

    ac7898f40cefd0d9e031244ca053ed25

    SHA1

    3951e75fefcfdd21358e2ec5b2160a98b6440092

    SHA256

    b94da01eaf8b09ffc3ef1740b9a2db6516285e5e638f4c0614214cd2657e3dcf

    SHA512

    7353c9da8c5546a6585a7d8f1d10491226ada5c39e7a9d2bcfa2f379240a7a1c68fac2798ffbae048914e8719426959cfcdd333ddfad3194ddf639c72a9d4ef5

    Download Submit

  • C:\Program Files (x86)\Windows Media Player\it-IT\mpvis.dll.mui.abc
    Filesize

    3KB

    MD5

    8c207eb2d09a5b8c5d94111d8500cc2b

    SHA1

    8585d24b4bc1af858f5c0ce37219647ca65e9634

    SHA256

    3f054eb418dbc69f3ec8196f15f171471260d6b171eba71762584c1e9e46a33d

    SHA512

    df8d13ffbe3fe03c90ae945079fb5f9eb0dbe7a3c5037f80420759172b26033dbf64c007ec27f02149f9de81cc2008f825fda781f61b07cec2354588ca3de8f2

    Download Submit

  • C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui.abc
    Filesize

    18KB

    MD5

    d72e2621186d570c9b6fd74e139e7fb8

    SHA1

    bf22a1790a11f0f598a3f7c88dfe528a00e242d0

    SHA256

    eed0be81a7b69a3d77fbf5c95053c44c8a9203626a34a9e715d72ac40c6138ad

    SHA512

    6b308ee1aad692ba32a0d0c2a29a01fc0a0512841b0b51e03648175ab8ff286d38595bd9118b2e814e6a12b9442a46ca3487fb8ff74fb68683072fd68ab39e0f

    Download Submit

  • C:\Users\Admin\Documents\CompleteConnect.mht.abc
    Filesize

    569KB

    MD5

    f3cfdef316eab81ceb02522bd0c8ee2c

    SHA1

    0a18bcd2c18672d3497b2910cf3ab738e518bd7d

    SHA256

    a8139162dcdd587420feee75fc9cbfe272fe9609355652191ac0e20ede073fb8

    SHA512

    20b104ae9702857212acc3defc36f5c1220d6bbd2d81e6e6badd941feb62ddb620321aeecf686fe03267e1574c2f837a223ad26e091e663963cdb985f10ce595

    Download Submit

  • C:\Users\Admin\Documents\README.txt
    Filesize

    111B

    MD5

    ed96f73c7232b4e6bc6b8e54993d1d7b

    SHA1

    4a517548e17356dfba09be166daf34ff91f69387

    SHA256

    e5d27c881c0308284da6b846e90625da4b959fcf8600e9dd015fac46177d63ef

    SHA512

    540243245e4eca9b30f32b61eff6098ece0246c7a25ee61ffebdf398436c8b9c9f24f552dad3e14d61601828780001340c3b628c1a2c43cab68f4e8688920f1b

    Download Submit

  • C:\Windows\Cursors\no_m.cur.abc
    Filesize

    8KB

    MD5

    e19473270a51a8709647858b5254d847

    SHA1

    21f8c07b1b358e81a9525f43f6709f04611f8ce4

    SHA256

    4d97b1ccd5f45ff602b7299ac435bff5d3ab681b5d16995f305eabdfa13e346a

    SHA512

    33ab97b243524cbd0e252922a121b5835643472075783904e6594316eab3149a53b9f915dd4bd42e44749f336b7e05e5ed794037318d9f3e73be615f183adb56

    Download Submit

  • C:\Windows\SysWOW64\bg-BG\windows.ui.xaml.dll.mui.abc
    Filesize

    18KB

    MD5

    86dd1f690cffd98b4622159daf5bf255

    SHA1

    abdc8b61658dd9b2c71bf824b8b5a53e66f758a5

    SHA256

    89321e99d05d710dc1082602f928550547ff9f8c7a05e5ff925b0eb5ba6f3285

    SHA512

    f25d1224ebafe764acc4c9087d48ba356a029bc690f201bcea06d99271a3ac86342eca8e70944a87dfa3c7acc80b1e715fff23fe8978ce05b6c045f773b01c55

    Download Submit

  • C:\Windows\SysWOW64\de-DE\cic.dll.mui.abc
    Filesize

    2KB

    MD5

    5d4b93a97d2266bb66b6f273b09c0428

    SHA1

    a5785b48941b315879b241d543d41aed1a82360b

    SHA256

    b15d6a5f09663c881461e91a125953a87858afe14985c43678fc895ad6170c08

    SHA512

    2475b10fc6f31d074d19b61ff409cfec88b52e2bd84f9b2eaf3b3a4cf4d5d28bbd4ab5519b9a4fd2c870e5a03cf3721ba1569efbcf5d2b6fbfb4b5bf7931bb2a

    Download Submit

  • C:\Windows\SysWOW64\en-US\user32.dll.mui.abc
    Filesize

    17KB

    MD5

    84452717431b6037b13f0d3ae1d42923

    SHA1

    a76416201fcf94e8bd6d3ec800d4ed199c863607

    SHA256

    a89d0ad1e45ae818d103a198d7f2733a6cf2cb1d1ce456fafd190fe7a7553886

    SHA512

    655740066b86f4bf1a90332d73b8d89b2b232ba297100734c026fc6e126c958cdd1b21cbe1c9ab60be869b8fedd34f3a11b03e7ea899e7f6947aff9bdaa74d3c

    Download Submit

  • C:\Windows\SysWOW64\es-ES\audiodev.dll.mui.abc
    Filesize

    15KB

    MD5

    be56e6d7c99578d8bb282ce944e84886

    SHA1

    145f0780b0ebfb21af1e5a65a3b7a6aa92238fe8

    SHA256

    cb7e0ec5e43cdd707e8cbb3591cd96615230b7348f1bc74245530739ab28df91

    SHA512

    5af3e589db3aa566cded50dae29538e97c4afa29009ba61becd1f32f6c6c88b5dc06a2ccf96e7e4062176e09dd3313336ea7128c1a634124e7cf12fa60311971

    Download Submit

  • C:\Windows\SysWOW64\ja-JP\BWContextHandler.dll.mui.abc
    Filesize

    4KB

    MD5

    8bb655bc460ab2e1437afa3002a14bde

    SHA1

    b7f4a763ace78ad9de278721def9edda14a2e171

    SHA256

    0c7c235ea0b911da2794bcccb1b199a31bc432bde4b6259f662102812bbce8b1

    SHA512

    5919289c028d8c0595698d6463ea7aa0a396814d94a87f727fdffbb8d0a4646fbca350a04eea3f98644de4bfbf3aeeb4c3a8ad549f48cb7088db16cee7892da9

    Download Submit

  • C:\Windows\SysWOW64\msasn1.dll.abc
    Filesize

    49KB

    MD5

    05a60d9412a6b2e2f5b0d4c2f27464b6

    SHA1

    b18de5aeda915cb211b0e5bc0f06018ad1e6ad1a

    SHA256

    55c17e17fd6a6da34f0e9fd2ead8613bbe2ec942f2e405d21fe63e2b6410861c

    SHA512

    df1317c9d8dd6c1cb9f93d028a3371b3237b628332e4980e8f01563206c8763c28ce668d5c361515316c8e928dd62d6a3caf5f88bcc54cb215f2a64dd5b78344

    Download Submit