Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Setup.exe

windows7-x64

10

Setup.exe

windows10-2004-x64

10

rkill.exe

windows7-x64

8

rkill.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 06:16 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rkill.exe

  • Size

    1.7MB

  • MD5

    6d622dcc87edc9a7b10d35372ade816b

  • SHA1

    47d98825b03c507b85dec02a2297e03ebc925f30

  • SHA256

    d4ac5b3c525a5fd94019d80ff81b552e73b19b1bd0a554b9609cdd5e1b00955a

  • SHA512

    ed06f872a7c66ffeeb8cb8f6fedca06ccabf623f9cd188c4c7105428e8d6521ef8da0bac0564e14d2da914d2846369a9c04577a8cf7fb80cb62831e5497f2a58

  • SSDEEP

    49152:KpEsgw14kZV2HXsMnmjEREseBSsxHnfXsrHYi2Yijig:0wYJYW

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 64 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\rkill.exe
    "C:\Users\Admin\AppData\Local\Temp\rkill.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2664
    • C:\Users\Admin\AppData\Local\Temp\rkill64.exe
      C:\Users\Admin\AppData\Local\Temp\rkill.exe
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Windows\System32\Notepad.exe
        Notepad.exe C:\Users\Admin\Desktop\Rkill.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:1412

Network

  • flag-us
    DNS
    crl.microsoft.com
    rkill64.exe
    Remote address:
    8.8.8.8:53
    Request
    crl.microsoft.com
    IN A
    Response
    crl.microsoft.com
    IN CNAME
    crl.www.ms.akadns.net
    crl.www.ms.akadns.net
    IN CNAME
    a1363.dscg.akamai.net
    a1363.dscg.akamai.net
    IN A
    2.19.117.22
    a1363.dscg.akamai.net
    IN A
    2.19.117.18
  • flag-gb
    GET
    http://crl.microsoft.com/pki/crl/products/WinPCA.crl
    rkill64.exe
    Remote address:
    2.19.117.22:80
    Request
    GET /pki/crl/products/WinPCA.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: crl.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 530
    Content-Type: application/pkix-crl
    Content-MD5: Xiddt2GqWiOsZRr49sSgAA==
    Last-Modified: Tue, 08 May 2018 21:14:18 GMT
    ETag: 0x8D5B528A905E7D5
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: 65de7b2c-301e-001f-024b-d9f4b4000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Mon, 11 Nov 2024 06:16:19 GMT
    Connection: keep-alive
  • flag-us
    DNS
    crl.microsoft.com
    rkill64.exe
    Remote address:
    8.8.8.8:53
    Request
    crl.microsoft.com
    IN A
    Response
    crl.microsoft.com
    IN CNAME
    crl.www.ms.akadns.net
    crl.www.ms.akadns.net
    IN CNAME
    a1363.dscg.akamai.net
    a1363.dscg.akamai.net
    IN A
    2.19.117.18
    a1363.dscg.akamai.net
    IN A
    2.19.117.22
  • flag-gb
    GET
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    Remote address:
    2.19.117.18:80
    Request
    GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Thu, 11 Jul 2024 01:45:51 GMT
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: crl.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1036
    Content-Type: application/octet-stream
    Content-MD5: 8M9bF5Tsp81z+cAg2quO8g==
    Last-Modified: Thu, 26 Sep 2024 02:21:11 GMT
    ETag: 0x8DCDDD1E3AF2C76
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: b28c4ea1-d01e-0016-0ebc-0fa13d000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Mon, 11 Nov 2024 06:16:49 GMT
    Connection: keep-alive
  • 2.19.117.22:80
    http://crl.microsoft.com/pki/crl/products/WinPCA.crl
    http
    rkill64.exe
    374 B
     1.1kB
     5
    3

    HTTP Request

    GET http://crl.microsoft.com/pki/crl/products/WinPCA.crl

    HTTP Response

    200
  • 2.19.117.18:80
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    http
    399 B
     1.7kB
     4
    4

    HTTP Request

    GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

    HTTP Response

    200
  • 8.8.8.8:53
    crl.microsoft.com
    dns
    rkill64.exe
    63 B
     162 B
     1
    1

    DNS Request

    crl.microsoft.com

    DNS Response

    2.19.117.22
    2.19.117.18

  • 8.8.8.8:53
    crl.microsoft.com
    dns
    rkill64.exe
    63 B
     162 B
     1
    1

    DNS Request

    crl.microsoft.com

    DNS Response

    2.19.117.18
    2.19.117.22

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Desktop\Rkill.txt
    Filesize

    3KB

    MD5

    e7a05f4a5d20d6e66813ac8afcce9ce4

    SHA1

    56e325e9276e6a995040fcb367a193099658722d

    SHA256

    070e3fae740f87379d86584746cd68b88c8f974409783df108089a596ccbbccc

    SHA512

    fa9493c27274b7510d9ec50b0223fcf394e5c83ac109c565feba9efb1101ba50dcdef7e693e545823eec3742bbf41a20ba9942adb86c431fc00aaba4654186a7

    Download Submit

  • C:\Users\Admin\Desktop\Rkill.txt
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    Download Submit

  • \Users\Admin\AppData\Local\Temp\rkill64.exe
    Filesize

    964KB

    MD5

    ae368c10327fe7a8e5c875360e529b35

    SHA1

    d69fad67631f48f2eee9109a368eb176356da531

    SHA256

    797f0917162e74e64f556fd467cc13d10401e826309c3ed889574889a96b88c7

    SHA512

    e7e6e4d29dfdc537b21fdffc6c1ac0674b55fdf6c61e5fecfbdde1fa271903db1291c50bac3263bc9f4ee7797689542f29770e0d98b8180453c39bc6058a5c67

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.