Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
255s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29/08/2024, 03:04
Static task
static1
Behavioral task
behavioral1
Sample
RGGV.txt
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
RGGV.txt
Resource
win10v2004-20240802-en
General
-
Target
RGGV.txt
-
Size
644KB
-
MD5
0d31055db83286b5e0aafc69609502ac
-
SHA1
63c50a5e0126329ce24f064af90f9ffb90394013
-
SHA256
f87fc3458d3c60ce33788f11a04315f7c469b3dd0bcc26e76da52bec1f89cb6b
-
SHA512
f547d0924f899ac28d71763f34cff7f8fc13697548bbdae6e3b5893b537e63a8fab90032b245ad60781310dcea222f3a6c5a1ebb8c0e84f5ce94722899f8b8ce
-
SSDEEP
12288:dkOTDFNXjOsggjpM3IzJquTTYuDu6pELjN/nwVNNi:d/VNlVjpRJ7TTYuDfcjN/wD4
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3092 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3600 wrote to memory of 4544 3600 cmd.exe 121 PID 3600 wrote to memory of 4544 3600 cmd.exe 121 PID 3600 wrote to memory of 4544 3600 cmd.exe 121 PID 3600 wrote to memory of 1816 3600 cmd.exe 122 PID 3600 wrote to memory of 1816 3600 cmd.exe 122 PID 3600 wrote to memory of 1816 3600 cmd.exe 122 PID 3600 wrote to memory of 3924 3600 cmd.exe 123 PID 3600 wrote to memory of 3924 3600 cmd.exe 123 PID 3600 wrote to memory of 3924 3600 cmd.exe 123
Processes
-
C:\Windows\system32\NOTEPAD.EXEC:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\RGGV.txt1⤵
- Opens file in notepad (likely ransom note)
PID:3092
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeregasm2⤵
- System Location Discovery: System Language Discovery
PID:4544
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeregasm /stext C:\Users\Admin\AppData\Local\Temp\RGGV.txt2⤵
- System Location Discovery: System Language Discovery
PID:1816
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeregasm C:\Users\Admin\AppData\Local\Temp\RGGV.txt2⤵
- System Location Discovery: System Language Discovery
PID:3924
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42B
MD584cfdb4b995b1dbf543b26b86c863adc
SHA1d2f47764908bf30036cf8248b9ff5541e2711fa2
SHA256d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b
SHA512485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce