Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/10/2024, 04:20
Behavioral task
behavioral1
Sample
c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe
Resource
win10v2004-20241007-en
General
-
Target
c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe
-
Size
90KB
-
MD5
b3bd09a6d1604ab8188a044862a30410
-
SHA1
902ebce82db8754e106b5e015524356f13d1d7a4
-
SHA256
c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4
-
SHA512
adb5df5a2f4e70b3cdd272c313a67ecedceaf231f03fd16ca82e63a24796357e63f2f3eb536a3b9f41f20f80c5445f61535655dfa514a2b602158cb726980ee5
-
SSDEEP
1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8zxY5J:fnyiQSox5J
Malware Config
Signatures
-
Renames multiple (4421) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
resource yara_rule behavioral2/memory/1988-0-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/files/0x000b000000023b85-2.dat upx behavioral2/files/0x001400000002291d-6.dat upx behavioral2/memory/1988-668-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-pl.xrm-ms.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationUI.dll.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansRegular.ttf.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.StackTrace.dll.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.dll.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-pl.xrm-ms.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceProcess.dll.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ul-oob.xrm-ms.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.XmlSerializers.dll.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Controls.Ribbon.resources.dll.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationCore.resources.dll.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\directshow.md.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Controls.Ribbon.resources.dll.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_wer.dll.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.ProtectedData.dll.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic-Palatino Linotype.xml.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.md.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\TabTip.exe.mui.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationTypes.resources.dll.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\jfr.jar.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Json.dll.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dynalink.md.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ul-oob.xrm-ms.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-phn.xrm-ms.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ppd.xrm-ms.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_K_COL.HXK.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-140.png.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_K_COL.HXK.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\AUTHOR.XSL.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.RuntimeInformation.dll.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationTypes.resources.dll.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Java\jdk-1.8\bin\kinit.exe.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-pl.xrm-ms.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-oob.xrm-ms.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-locale-l1-1-0.dll.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Common Files\microsoft shared\ink\mshwjpn.dll.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-time-l1-1-0.dll.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Console.dll.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ppd.xrm-ms.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationFramework.resources.dll.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.EventLog.Messages.dll.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationTypes.resources.dll.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\unpack.dll.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-phn.xrm-ms.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\WWINTL.DLL.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-oob.xrm-ms.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ppd.xrm-ms.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrjit.dll.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.dll.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe"C:\Users\Admin\AppData\Local\Temp\c6805c3e6b9f3aefcba0b960d888bb8b2e7e9ffc3d20458890ec138be1e51eb4N.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1988
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD51e18d47e8814f572a4b433f75b5c3231
SHA17b7ebbead8db10abab77060c278310eed805498b
SHA256375b6b0c96a9799cb93d92fbdc81d6b91cf963737e88f9669630cad61eea1add
SHA512f53adf698fc3a5f9bd3cf8eee86de2c8b364a2bd616647ba99c5010cad657aacc7ba2d5a75a2c116e9abe890d610c93b8cee1043c3063f385be1a818e797f7cb
-
Filesize
189KB
MD519d59b9010e56deb84c35ebedd16b2a7
SHA1de963e51a76f5c669496d4cf70e96df5bf64011b
SHA256a025f2febf0557a5e7964a19f5a4d712767a2b157b3f49cbb2e5e2d62c636691
SHA512ca73215e52c77c4a1d592b831cac12a68fb5adaac767c5f6d0b0f662c4bfed845b1902c77cc7b1ed23ec2db7538eae2f0f19c4ea06035d54aeb3d65166fc2628