Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/09/2024, 11:10 UTC
Behavioral task
behavioral1
Sample
d73828d042040527dad227e2e46e2a00N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d73828d042040527dad227e2e46e2a00N.exe
Resource
win10v2004-20240802-en
General
-
Target
d73828d042040527dad227e2e46e2a00N.exe
-
Size
83KB
-
MD5
d73828d042040527dad227e2e46e2a00
-
SHA1
35eecc104a62545d0b1d572ce0052a1fdb019df2
-
SHA256
36dcce34ed33fdeb4826a7e57cf9b86f666efc3a4637c13a697b3d79f800ba87
-
SHA512
07ef749bf4da0cfc160b4bc9d7eb3b130436885b1e12bb0f6cf4f6009b429f8991aae152b427684a54c961d12ecbb3556f9593a92abfea9d4825944431854e82
-
SSDEEP
1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8IZTkb/b8QH:fnyiQSo7Zgr4QH
Malware Config
Signatures
-
Renames multiple (4354) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
resource yara_rule behavioral2/memory/1504-0-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/files/0x0009000000023582-2.dat upx behavioral2/files/0x000600000001690a-7.dat upx behavioral2/memory/1504-806-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Input.Manipulations.resources.dll.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.UnmanagedMemoryStream.dll.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\XLINTL32.DLL.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-file-l2-1-0.dll.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\7-Zip\Lang\ne.txt.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\glib-lite.dll.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ppd.xrm-ms.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-oob.xrm-ms.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieTextModel.bin.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Xaml.resources.dll.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Threading.AccessControl.dll.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul-oob.xrm-ms.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\libEGL.dll.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Primitives.resources.dll.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationTypes.resources.dll.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\security\public_suffix_list.dat.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.ILGeneration.dll.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Xaml.resources.dll.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Controls.Ribbon.resources.dll.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Java\jre-1.8\lib\fontconfig.bfc.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul.xrm-ms.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_elf.dll.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-pl.xrm-ms.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Requests.dll.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationTypes.resources.dll.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Primitives.resources.dll.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Buffers.dll.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemData.dll.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\giflib.md.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\ucrtbase.dll.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ul-oob.xrm-ms.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-phn.xrm-ms.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-2-0.dll.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-environment-l1-1-0.dll.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Sockets.dll.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Slice.thmx.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-pl.xrm-ms.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipRes.dll.mui.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Controls.Ribbon.resources.dll.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Xaml.dll.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Facet.thmx.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ppd.xrm-ms.tmp d73828d042040527dad227e2e46e2a00N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.X509Certificates.dll.tmp d73828d042040527dad227e2e46e2a00N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d73828d042040527dad227e2e46e2a00N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d73828d042040527dad227e2e46e2a00N.exe"C:\Users\Admin\AppData\Local\Temp\d73828d042040527dad227e2e46e2a00N.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1504
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4120,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=4440 /prefetch:81⤵PID:2556
Network
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request73.144.22.2.in-addr.arpaIN PTRResponse73.144.22.2.in-addr.arpaIN PTRa2-22-144-73deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request140.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request81.144.22.2.in-addr.arpaIN PTRResponse81.144.22.2.in-addr.arpaIN PTRa2-22-144-81deploystaticakamaitechnologiescom
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
73.144.22.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
140.32.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
86.23.85.13.in-addr.arpa
-
142 B 157 B 2 1
DNS Request
198.187.3.20.in-addr.arpa
DNS Request
198.187.3.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
81.144.22.2.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84KB
MD547c1e1d8124e6e37cdbdca836c3419ce
SHA10ea0c02df0977a816beef84e7f0fd054a5641e23
SHA256091a1198dbe69826aa72251962227d46ce4e8b6c8aec7318671da08cd4015342
SHA512a951993b5ac515b6dfa960664864701b8fb0e61ef0e13ad92322d88c740854b8cfc341a589c546ca2e535e8023751664d242128e8d0c03d5618c0a063c930b8f
-
Filesize
196KB
MD53ab5e08cb5c2da6c0dc7680903fe2eec
SHA18167fc41001e3dddae39eba5d6eec3de9b14d035
SHA2569ff61a180a650533593492080d0715e4de0a8764ab4945a9f134f0f64cb522c3
SHA512eb20200cd73e23b22b01ce836c4b7fecfc588c3f9beed8d57780e68be719439f298285657295695661c6d6552feba4249dbc6fb11cd2db974826f606c08b23a5