Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

3

aace612c92...0N.exe

windows7-x64

9

aace612c92...0N.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    120s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    02/09/2024, 01:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aace612c922f451c1dee7d54b60485f0N.exe

  • Size

    625KB

  • MD5

    aace612c922f451c1dee7d54b60485f0

  • SHA1

    1fe239d69ca03128e6ac37a2135b298e0c436a09

  • SHA256

    9cb372edffe9ea9a883ebba1038d569b8aa1dd528cdc707ac05f862544c446c2

  • SHA512

    1932bfb6a651723bde6964fe30e3142e8b3f147d58de6b964937e1fd4814957bd5812bf28eed4dac20ce097b4999e069347a0c2cf232d378e02098e977d07153

  • SSDEEP

    6144:SeWQSoOf5uKhbSnHXBMV5jdCBjtsD52dmdLqff86+jVvaYMLOen9Bp1xf2ODuYMY:yQtOUVRMstsD5pAfujVvaYML59RIgR

Score
9/10
discoveryransomware

Malware Config

Signatures

  • Renames multiple (2867) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aace612c922f451c1dee7d54b60485f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\aace612c922f451c1dee7d54b60485f0N.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Windows\SysWOW64\Zombie.exe
      "C:\Windows\system32\Zombie.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:3032
    • C:\Users\Admin\AppData\Local\Temp\_MpCmdRun.exe
      "_MpCmdRun.exe"
      2⤵
      • Executes dropped EXE
      PID:3036

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3450744190-3404161390-554719085-1000\desktop.ini.tmp
    Filesize

    72KB

    MD5

    f2925ec05d541ba0b48c1a3e04f172c7

    SHA1

    a1e3b874c2d528fe23a224634e2451e7fbc50fb1

    SHA256

    b0e8b996cc6359cbb1f6526ebf46219e9da72d875f1d9b78d626d1a484af00b2

    SHA512

    ebb4717987c8700a9f9b3f8d4fddf30d303785e19f57684b3ba45dad64e88f2240c970d29c29fcdcff28b9f56fdfcb539204620717105ec7525bba626138d9af

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MpCmdRun.exe
    Filesize

    553KB

    MD5

    d20b034be63c99803fb9b659d5e08c4f

    SHA1

    cc6846f52e59a0c84a16fcadca34a8996630a0d2

    SHA256

    ac9142ef4843eed75a010d6d31386f288757e9bffab9072eeb20c4a16ab5a26b

    SHA512

    fdf53323a320e39b98c0a0b327437e96dd1d405025b93d8909cd3821dbdec0ef9bc1bec09a6471d31b3f7af07ce587aa450c7bc2da56ce7abfaa6a607bc2b168

    Download Submit

  • C:\Windows\SysWOW64\Zombie.exe
    Filesize

    72KB

    MD5

    164dcc263625567891f12dbf65133712

    SHA1

    7dcf919defe5c4b27b4cb6b2503f68801f593fee

    SHA256

    00fa6029f24c18aebc7ad3afe77fad5aa6d10f8fbbc4a17ebfcf9aaaaa2c944a

    SHA512

    22dbefd046ae5f49d7e0ee576e15bbef30f8b32c3b6bf3e60acedab558c0b827512a5a96fc4c95e162dd78e906141924f6d9fe6ae27f34a768d48729c45711ab

    Download Submit