Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
19/08/2024, 01:17
240819-bnc4rswcqg 919/08/2024, 01:14
240819-blngqaygpm 919/08/2024, 01:10
240819-bjw13swaqc 9Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/08/2024, 01:17
Static task
static1
Behavioral task
behavioral1
Sample
4b314081bcb5531e368729bd169b6520N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
4b314081bcb5531e368729bd169b6520N.exe
Resource
win10v2004-20240802-en
General
-
Target
4b314081bcb5531e368729bd169b6520N.exe
-
Size
76KB
-
MD5
4b314081bcb5531e368729bd169b6520
-
SHA1
26a334cba2d2873df0fd811dba841622208af408
-
SHA256
5483aadefaa81c09f0fe892527ff0003aadf557f64a0fcf5486618e80130abfe
-
SHA512
3a390a26faade5c9b2efb19dba187941ed28faba4b3ae74513ef27a7f68f4a3a756e7a0459072834ddd53869bcf5dcc58e042a685e71171ed50bdfd56466274c
-
SSDEEP
768:/7BlpQpARFbhIYJIJDYJIJPfFpsJcFfFpsJcC+3mC+3meDAfABJ6fABJwEXBwzEd:/7ZQpApze+eJfFpsJOfFpsJ5DL
Malware Config
Signatures
-
Renames multiple (5112) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\7-Zip\Lang\vi.txt.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Java\jre-1.8\bin\javaw.exe.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Java\jre-1.8\lib\ext\sunmscapi.jar.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-locale-l1-1-0.dll.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ppd.xrm-ms.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\7-Zip\Lang\ms.txt.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Microsoft Office\root\Office16\MINSBPROXY.DLL.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL093.XML.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\WindowsAccessBridge-64.dll.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.Vectors.dll.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Debug.dll.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Controls.Ribbon.resources.dll.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ul-oob.xrm-ms.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul.xrm-ms.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Parallel.dll.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\JavaAccessBridge-64.dll.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Java\jdk-1.8\legal\jdk\cldr.md.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiItalic.ttf.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ppd.xrm-ms.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Microsoft Office\root\rsod\dcf.x-none.msi.16.x-none.tree.dat.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsFormsIntegration.resources.dll.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationUI.resources.dll.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Primitives.resources.dll.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ul-oob.xrm-ms.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.png.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Microsoft Office\root\rsod\powerview.x-none.msi.16.x-none.tree.dat.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationClient.resources.dll.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ul-oob.xrm-ms.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\ReportingServicesNativeClient.dll.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Microsoft Office\root\Office16\PROOF\msspell7.dll.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\ChronologicalResume.dotx.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\ReachFramework.resources.dll.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationClientSideProviders.resources.dll.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationFramework.resources.dll.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ppd.xrm-ms.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ul-oob.xrm-ms.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8ES.DLL.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.White.png.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Java\jre-1.8\bin\t2k.dll.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-pl.xrm-ms.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\msipc.dll.mui.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.Design.resources.dll.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\j2gss.dll.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul-oob.xrm-ms.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-pl.xrm-ms.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Microsoft Office\root\rsod\officemuiset.msi.16.en-us.boot.tree.dat.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.Primitives.dll.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\SOLVER32.DLL.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-pl.xrm-ms.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\tr.pak.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xerces.md.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.Common.dll.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUIFormulaBarModel.bin.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Microsoft Office\root\Office16\FilterModule.dll.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Microsoft Office\root\Office16\RTC.DLL.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-phn.xrm-ms.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Xaml.resources.dll.tmp 4b314081bcb5531e368729bd169b6520N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Extensions.dll.tmp 4b314081bcb5531e368729bd169b6520N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4b314081bcb5531e368729bd169b6520N.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4856 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4856 taskmgr.exe Token: SeSystemProfilePrivilege 4856 taskmgr.exe Token: SeCreateGlobalPrivilege 4856 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe 4856 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b314081bcb5531e368729bd169b6520N.exe"C:\Users\Admin\AppData\Local\Temp\4b314081bcb5531e368729bd169b6520N.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:468
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4856
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD59e1b832dd0783ccd57a169a712646883
SHA1129e03833555f0251754f2ae998082f22ab83ea4
SHA2562a2c5bb0ce579500615f2a8f524aa6e1caff4d3cc4b0d24a41ed90e63f00e1ce
SHA51207bb7c133ddb7705b5e5b96d7f10bbb75fb7f386a6bc590f47230424005ea22d83b6f5d220c96aac788ff1767bea004315678f86672066ada4e0f3d06fd77e31
-
Filesize
175KB
MD5b61d54112d9ae1fa7c7c52d5650cecce
SHA1f55f24890fc90427a0d99a9050cede93f59bc7e3
SHA2560cc20d425972b4ae01de2c63679983e6e92fae2f1c8ab63a4c11b33414680188
SHA512efca2792c905f72b4221b3839d693344e280c2df658d8c39812578ab2647be34422020e0c78bfac2cdfc41e686d83264bf2bf715ae7879dbad7bd7794e475fc8