Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

2024090715...re.exe

windows7-x64

10

2024090715...re.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    07/09/2024, 10:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    202409071570e083f752001536b68694ef464704bkransomware.exe

  • Size

    1.4MB

  • MD5

    1570e083f752001536b68694ef464704

  • SHA1

    ff45e1727d3146f61c8cd437fee9d9ccc3c5d057

  • SHA256

    b6123559a74d83caabc9c15508c32afe5e202800ab8056896fd9cd2a9bf03fb1

  • SHA512

    18a0e118b015c8d908180e65816318918de96a22cce17194976ade6e9b23dfaca318214a7dd7cb47ede0f76d80695553dad51e144b7c59b0b2b399a1b8033646

  • SSDEEP

    24576:E30XJ529+RipvL1SXk1QE1RGOTnIEQc4au9NgxnHNnkv+IFT5:EEW9+ApwXk1QE1RzsEQPaxHN8n

Score
10/10
discoveryevasion

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\202409071570e083f752001536b68694ef464704bkransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\202409071570e083f752001536b68694ef464704bkransomware.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2856
    • C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2464

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\autorun.inf
    Filesize

    126B

    MD5

    163e20cbccefcdd42f46e43a94173c46

    SHA1

    4c7b5048e8608e2a75799e00ecf1bbb4773279ae

    SHA256

    7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

    SHA512

    e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

    Download Submit

  • C:\zPharaoh.exe
    Filesize

    151KB

    MD5

    c19ee7b4445fd7908e3aa6e9315d8fa7

    SHA1

    8a84d570e8e10307b179a490fa5568d78891b737

    SHA256

    6c835bca7c361fed304fef525272a0c815f1b856268cad56e2d6413c5363ccb7

    SHA512

    77b055d55f2aa4507e3cc00e375355fd27b7f874e067e7fbf8632b02c3edb23f76abdd80321aa3cd1cfb43b546606ac2c40abbd2742079a7c1c69683e5cc9847

    Download Submit

  • F:\$RECYCLE.BIN\S-1-5-21-1506706701-1246725540-2219210854-1000\RCX66D0.tmp
    Filesize

    69KB

    MD5

    8ba404e90194c38541e324657e72f74c

    SHA1

    ad9fda28f95b7747579a7fbb8a18e1d1e6311a49

    SHA256

    8145e4c62390f9c55343cc6dadb790dc2cb9463c4f578fa57bf43f12c4720340

    SHA512

    1f594ebb6b970c9cb86b97d642351106a52db407c6e90db7391b50e97a1136e5ba13aeec66c9b985192c377d8c5c70d3746a00f37bcc83855fea316cf8d82362

    Download Submit

  • F:\$RECYCLE.BIN\S-1-5-21-1506706701-1246725540-2219210854-1000\S-1-5-21-1506706701-1246725540-2219210854-1000 .exe
    Filesize

    151KB

    MD5

    f74b0bbe97e28921bd75b928f2ebab0a

    SHA1

    6b9f8230f7383e0509d00a51fa58d0b1a8ce6c30

    SHA256

    dc65c5c6c0e98412e50ba9d442393277160f8a0ae10c3ff10377bc5f2082bb08

    SHA512

    d078f856a0074db0268b1fbb151c112057688f6d044d2efdf06028b885a8146a75736cad81c5059ed6ecc3e75a1e80b8cd519727aaeffcadf62ac049aaccccb5

    Download Submit

  • F:\$RECYCLE.BIN\S-1-5-21-1506706701-1246725540-2219210854-1000\WinrRarSerialInstall.exe
    Filesize

    151KB

    MD5

    07abf57e6e8aba5cab5b00d587607bc3

    SHA1

    923771805d806dd74a4079fcdb67f8d18f2f1d39

    SHA256

    617e1278e0c2979ced0b0f22ffd7bc5a4753d947d7bc6574e8881090647767b5

    SHA512

    fc26fd5d36e4958ef67330a744487de3fdef4c802ebee822ab51a88ae5ecd98165052a3672e4c16f4f56277429105c910c47eb5020eb697c9995c3b592c5327b

    Download Submit

  • F:\zPharaoh.exe
    Filesize

    151KB

    MD5

    fd7933969bf2b506c9675e5077c4d0a1

    SHA1

    8cf2ef70b5bc8d16892b75d6c922566e2659da61

    SHA256

    32cad49bfbc2198318d4719f09068f6878fab06d4df140a49540f18e8cb44b02

    SHA512

    612d3a9150088609169e6fc751116edc41e8b0ece6a608c6876eb202fb7f8902b21eaa155717e52512f4fbadba9b6f96e803868f8914de5757ef57e40a51aa0d

    Download Submit

  • \Users\tazebama.dl_
    Filesize

    151KB

    MD5

    330bf7399c385ca93a53f90e1ea5e2c7

    SHA1

    9fa1fb65691848277297f91c930bf1032961111d

    SHA256

    253d47febe50818b80646d16bd64e99db90e411dce0c677b5c5687e188c278c8

    SHA512

    6023ff5680fb59284fed819fac0cb43aa065957336f0c47eab8b6ad81968e8a0a21b4cfb9384678138c2f1927c7cdb937902388ccd720ee264def94bbabc813a

    Download Submit

  • \Users\tazebama.dll
    Filesize

    32KB

    MD5

    b6a03576e595afacb37ada2f1d5a0529

    SHA1

    d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

    SHA256

    1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

    SHA512

    181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

    Download Submit

  • memory/2464-30-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2464-506-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2856-1-0x0000000000400000-0x000000000054B000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2856-16-0x0000000000400000-0x000000000054B000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2856-12-0x0000000000290000-0x00000000002A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2856-13-0x0000000000290000-0x00000000002A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2856-14-0x0000000000416000-0x0000000000422000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2856-116-0x0000000000400000-0x000000000054B000-memory.dmp

    Filesize

    1.3MB

    Download