Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/10/2024, 04:17
Static task
static1
Behavioral task
behavioral1
Sample
b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe
Resource
win10v2004-20241007-en
General
-
Target
b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe
-
Size
50KB
-
MD5
bf7d36e3dd796107f570fb1206086730
-
SHA1
01b71ad4a16d4d70249d69c58a5e19d3731f4024
-
SHA256
b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09f
-
SHA512
65e5100d597c2c2478f7e85a718b093e7950b927b1c187e843ee4449238fdbbae2da6a80a578d1a59aa40bf54a955a3c211e6d53afa6b0328e202b249dfaf6cd
-
SSDEEP
768:W7BlphA7pARFbhM0Kkq81LOyq81LOl6Sl5lsSThy:W7ZhA7pApM21LOA1LOl6vSQ
Malware Config
Signatures
-
Renames multiple (4622) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.Calendars.dll.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-phn.xrm-ms.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-140.png.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clretwrc.dll.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-1-0.dll.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-pl.xrm-ms.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-pl.xrm-ms.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-140.png.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART6.BDR.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-140.png.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\D3DCompiler_47_cor3.dll.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHARTCOMMON.DLL.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Channels.dll.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.dll.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.VisualBasic.Forms.dll.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Java\jre-1.8\lib\flavormap.properties.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-oob.xrm-ms.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ul-oob.xrm-ms.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\DisablePing.3g2.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.dll.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-oob.xrm-ms.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\CERTINTL.DLL.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationCore.dll.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClient.dll.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\WindowsBase.resources.dll.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsFormsIntegration.resources.dll.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\JavaAccessBridge-64.dll.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-80.png.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.dll.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xalan.md.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ul-oob.xrm-ms.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-oob.xrm-ms.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\WindowsFormsIntegration.resources.dll.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXT.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\7-Zip\Lang\kab.txt.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\7-Zip\Lang\mng.txt.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.dll.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.dll.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\ShapeCollector.exe.mui.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationFramework.resources.dll.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Primitives.resources.dll.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Java\jre-1.8\bin\klist.exe.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-180.png.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebSockets.Client.dll.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationTypes.resources.dll.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PenImc_cor3.dll.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-pl.xrm-ms.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\7-Zip\Lang\ga.txt.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\ReachFramework.resources.dll.tmp b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe"C:\Users\Admin\AppData\Local\Temp\b5c104b8d8e6cc7b35f5fb5f3eb1135b0108bbfe885d8a392d5b5f8c50cdc09fN.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5020
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
51KB
MD5cdcf1e469b8c77aff0e6c8cbae613a34
SHA1e4ce14e296e82222b3ffde6e813d05f4ef0af989
SHA256caa02c9349d8f20fe72be3591c25b82fb9f7a0b262de6503c7d9c80fb3f66f9f
SHA512a63ad93d71736857c72811ae079415497a354d61d120dc79e874991f8b917167ed407e2d223126b14d3565ed5777a379d075272f5bd039ca975068fb42dfd0a5
-
Filesize
149KB
MD5dd40ad89b4a24d73bd8cd4e3b60bc6b6
SHA1a61e1bd44ffd741c48c6d4ddfc7b1e9c032560ba
SHA2565618ae852a9f2fc22fa7a02a028cc314ae963644d9e465bb3d49186ed9a42eea
SHA512b5709c3922e57ea998abf991d304641d0c3773cdc9711ffdfd94d044c911e0dabbcebc48fbb836d3a6ffb5d2218684be10eeb97cc4befa9bb35e2a7472a582cb