Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

19/08/2024, 01:17

240819-bnc4rswcqg 9

19/08/2024, 01:14

240819-blngqaygpm 9

19/08/2024, 01:10

240819-bjw13swaqc 9

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/08/2024, 01:17

General

  • Target

    4b314081bcb5531e368729bd169b6520N.exe

  • Size

    76KB

  • MD5

    4b314081bcb5531e368729bd169b6520

  • SHA1

    26a334cba2d2873df0fd811dba841622208af408

  • SHA256

    5483aadefaa81c09f0fe892527ff0003aadf557f64a0fcf5486618e80130abfe

  • SHA512

    3a390a26faade5c9b2efb19dba187941ed28faba4b3ae74513ef27a7f68f4a3a756e7a0459072834ddd53869bcf5dcc58e042a685e71171ed50bdfd56466274c

  • SSDEEP

    768:/7BlpQpARFbhIYJIJDYJIJPfFpsJcFfFpsJcC+3mC+3meDAfABJ6fABJwEXBwzEd:/7ZQpApze+eJfFpsJOfFpsJ5DL

Score
9/10

Malware Config

Signatures

  • Renames multiple (5112) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b314081bcb5531e368729bd169b6520N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b314081bcb5531e368729bd169b6520N.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:468
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

    Filesize

    76KB

    MD5

    9e1b832dd0783ccd57a169a712646883

    SHA1

    129e03833555f0251754f2ae998082f22ab83ea4

    SHA256

    2a2c5bb0ce579500615f2a8f524aa6e1caff4d3cc4b0d24a41ed90e63f00e1ce

    SHA512

    07bb7c133ddb7705b5e5b96d7f10bbb75fb7f386a6bc590f47230424005ea22d83b6f5d220c96aac788ff1767bea004315678f86672066ada4e0f3d06fd77e31

  • C:\Program Files\7-Zip\7-zip.dll.tmp

    Filesize

    175KB

    MD5

    b61d54112d9ae1fa7c7c52d5650cecce

    SHA1

    f55f24890fc90427a0d99a9050cede93f59bc7e3

    SHA256

    0cc20d425972b4ae01de2c63679983e6e92fae2f1c8ab63a4c11b33414680188

    SHA512

    efca2792c905f72b4221b3839d693344e280c2df658d8c39812578ab2647be34422020e0c78bfac2cdfc41e686d83264bf2bf715ae7879dbad7bd7794e475fc8

  • memory/468-0-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/468-824-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/4856-877-0x0000015ADAFD0000-0x0000015ADAFD1000-memory.dmp

    Filesize

    4KB

  • memory/4856-879-0x0000015ADAFD0000-0x0000015ADAFD1000-memory.dmp

    Filesize

    4KB

  • memory/4856-878-0x0000015ADAFD0000-0x0000015ADAFD1000-memory.dmp

    Filesize

    4KB

  • memory/4856-893-0x0000015ADAFD0000-0x0000015ADAFD1000-memory.dmp

    Filesize

    4KB

  • memory/4856-899-0x0000015ADAFD0000-0x0000015ADAFD1000-memory.dmp

    Filesize

    4KB

  • memory/4856-898-0x0000015ADAFD0000-0x0000015ADAFD1000-memory.dmp

    Filesize

    4KB

  • memory/4856-897-0x0000015ADAFD0000-0x0000015ADAFD1000-memory.dmp

    Filesize

    4KB

  • memory/4856-896-0x0000015ADAFD0000-0x0000015ADAFD1000-memory.dmp

    Filesize

    4KB

  • memory/4856-895-0x0000015ADAFD0000-0x0000015ADAFD1000-memory.dmp

    Filesize

    4KB

  • memory/4856-894-0x0000015ADAFD0000-0x0000015ADAFD1000-memory.dmp

    Filesize

    4KB