Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14/10/2024, 08:47

General

  • Target

    23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe

  • Size

    525KB

  • MD5

    ce65881ed7d49dc88b9a8aabf3846a80

  • SHA1

    2d24120fa547e4808058c19bcbed60627e90cf5a

  • SHA256

    23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0c

  • SHA512

    d8e5898114c3319662f788ff2143f1a5ca36a6b82ca643e342f5e42ef803ddd8237a7c3efd03683f771562d9d84a0445f4fae7eca7a15c5a3e184e8d7759a899

  • SSDEEP

    6144:KWRt+eH9BpoxJI3ANJuBN0PDGxWSqqcfrj8XzL/3upuqs8j8IvwvWGEuTt3n8/yR:HRtEZNJuzVrcX8GW8j5veWpuTtMf8

Malware Config

Signatures

  • Renames multiple (3271) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe
    "C:\Users\Admin\AppData\Local\Temp\23c2f705711b17b19b5759a3e5d4153b8f5eb856195fc54a1caab74f596eaf0cN.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Windows\SysWOW64\Zombie.exe
      "C:\Windows\system32\Zombie.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:2312
    • C:\Users\Admin\AppData\Local\Temp\_MpCmdRun.exe
      "_MpCmdRun.exe"
      2⤵
      • Executes dropped EXE
      PID:1584

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini.tmp

    Filesize

    69KB

    MD5

    fb0fa6fd5df66f525a0e28370ee58e36

    SHA1

    077d795b2f8c3ddacc9fb216ae447f05d0e899ef

    SHA256

    743d226c57ee6f5063f9308f4b695ffad0ada41d6f3cf466871bced2b98018ba

    SHA512

    22a7d831dff8ff0a65da69d191dadd2b0b1bd07539376e138bf8b198f224c6a6ac003a6a6d39a613ae018a2d932ba22fdea6c557b976a88e9e42058fb918b3a4

  • \Users\Admin\AppData\Local\Temp\_MpCmdRun.exe

    Filesize

    456KB

    MD5

    e08445b7cddf167e3d70734dddcecbc0

    SHA1

    49de5e5dcc5750d841767e537b0fca72b39a159c

    SHA256

    4e25c4181f8b30517eeebd36982c46364f8f1ffa60bce1d0b5bc8df459e71355

    SHA512

    4c761fa4a8b013a972095356b9f1aa45f3f6e738cb3c0c8b06d2fc38eb0f8e42cb5840dd33193c0048a7a628db98324706ce5f58d5227707251d48416465ed07

  • \Windows\SysWOW64\Zombie.exe

    Filesize

    68KB

    MD5

    fe167822bd148aaf800fa4b74a350a82

    SHA1

    a9f9a19f9773a7572b11f1cd6197c31df093318a

    SHA256

    c980cb563ce863dc6e6ce667eb55811cd23fe7a2c0e34e400cb00631cb9f714e

    SHA512

    040d75b8ae9c0b1c1b96ee3db756cf5b8aa56d3bcb7849d93ee44865b5355448631c3d933e58147743914e23093997de54c0614104fcd5aebcc96dfe8b921b23

  • memory/1992-0-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/1992-18-0x0000000000320000-0x000000000032B000-memory.dmp

    Filesize

    44KB

  • memory/1992-17-0x0000000000320000-0x000000000032B000-memory.dmp

    Filesize

    44KB

  • memory/2312-19-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB