Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/10/2024, 03:46
Behavioral task
behavioral1
Sample
f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe
Resource
win10v2004-20241007-en
General
-
Target
f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe
-
Size
238KB
-
MD5
48283a908d6695618f0bd9db318f8790
-
SHA1
ab13ffdad3378e8bb5ad461578abd5a0832b4fdc
-
SHA256
f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73
-
SHA512
a1c9170dae3d9de80c80174c7f5da47df9f8bdcefd5730f0d0229b72ef3caa86413047d58f464813867be1bf41743400be59b060bca0cfe488857806e0de3fc1
-
SSDEEP
3072:fny1tE/sitCab47kATGB1HtE/sitCab47kATGB1o:KbEn/bNEn/bo
Malware Config
Signatures
-
Renames multiple (3379) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
resource yara_rule behavioral2/memory/2128-0-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/files/0x000c000000023b3b-2.dat upx behavioral2/files/0x0014000000022905-6.dat upx behavioral2/memory/2128-638-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Grunge Texture.eftx.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.Unsafe.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Design.resources.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.resources.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\manifest.json.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.AeroLite.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ppd.xrm-ms.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XmlDocument.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Configuration.ConfigurationManager.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 6.0.27 (x64).swidtag.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-environment-l1-1-0.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.Common.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\Java\jre-1.8\bin\plugin2\msvcp140.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\Internet Explorer\es-ES\ieinstal.exe.mui.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationFramework.resources.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-2-0.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Candara.xml.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ul-oob.xrm-ms.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\vk_swiftshader.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Process.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\WindowsBase.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.SecureString.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Numerics.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clretwrc.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\Common Files\System\en-US\wab32res.dll.mui.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ppd.xrm-ms.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ul-oob.xrm-ms.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul.xrm-ms.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.DispatchProxy.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.Extensions.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Presentation.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\ReachFramework.resources.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul-oob.xrm-ms.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul.xrm-ms.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationUI.resources.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\Java\jdk-1.8\bin\jhat.exe.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClientSideProviders.resources.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationUI.resources.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.Linq.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\zh-TW.pak.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\Java\jre-1.8\bin\rmid.exe.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationTypes.resources.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Xaml.resources.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationProvider.resources.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.ZipFile.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Extensions.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ul-oob.xrm-ms.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Algorithms.dll.tmp f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe"C:\Users\Admin\AppData\Local\Temp\f6cd12da23cd08fecfaf01cd3d39c69d3a6beae29018c243e1424db807a8fb73N.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2128
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
238KB
MD58a2619aebf896b37173e7f3fad25aa23
SHA195dc752797db7640adbedd9749a1af9851e86d4e
SHA256f5de1035b26cd509da72a08b18e332501f8362939acd0096fe11829a276dbbb9
SHA51223a108c3cce4d558b3a35851e8de42f5b392c004e29eb938b5201475e114d98455c560623a62533a3847e7894149f2e6371121b49785fdb27bd9c752c198d5c8
-
Filesize
337KB
MD5611b5fba281ca6dfbd337e6500c8751a
SHA1371342cfe9cc537d8a9ddf906efebc8014a16502
SHA256f9f012f1539d8eb14c9d75786d6f69dfcdf80ce240a834276e9fe81787daa9fb
SHA512afd821d3c9f0349434f7f9ce26fd1d91a3c2ef977ae3f2aa229776a316a805a3a27ae10029040060780a94ab465a5847ec3a815f7dd067d22c2c26f1f633012f