Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11/11/2024, 06:13
General
-
Target
rkill.exe
-
Size
1.7MB
-
MD5
6d622dcc87edc9a7b10d35372ade816b
-
SHA1
47d98825b03c507b85dec02a2297e03ebc925f30
-
SHA256
d4ac5b3c525a5fd94019d80ff81b552e73b19b1bd0a554b9609cdd5e1b00955a
-
SHA512
ed06f872a7c66ffeeb8cb8f6fedca06ccabf623f9cd188c4c7105428e8d6521ef8da0bac0564e14d2da914d2846369a9c04577a8cf7fb80cb62831e5497f2a58
-
SSDEEP
49152:KpEsgw14kZV2HXsMnmjEREseBSsxHnfXsrHYi2Yijig:0wYJYW
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\rkill.exe"C:\Users\Admin\AppData\Local\Temp\rkill.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rkill64.exeC:\Users\Admin\AppData\Local\Temp\rkill.exe2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Notepad.exeNotepad.exe C:\Users\Admin\Desktop\Rkill.txt3⤵
- Opens file in notepad (likely ransom note)
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
964KB
MD5ae368c10327fe7a8e5c875360e529b35
SHA1d69fad67631f48f2eee9109a368eb176356da531
SHA256797f0917162e74e64f556fd467cc13d10401e826309c3ed889574889a96b88c7
SHA512e7e6e4d29dfdc537b21fdffc6c1ac0674b55fdf6c61e5fecfbdde1fa271903db1291c50bac3263bc9f4ee7797689542f29770e0d98b8180453c39bc6058a5c67
-
Filesize
514B
MD54748e8bc20393b0eba2ec46550720d40
SHA12d2938d66d1365f918464d147ef5fc0c33051c1d
SHA256ecf35b01f5e6db3d1b766d8cb67d1280c9318ea7285b233f2c5fcf6c2f298826
SHA5125d0394f15efeeff0c2b60e8870f91789f3e310f354dc45137f89aa77afefe645d22ebdb5ab7f319b52c554f8f37bf4d74f19ce92d5408f341e58a253fe02492c
-
Filesize
3KB
MD58b6a29ccf063a54527d207b01be5e999
SHA16efab8a54679ea5aa75292747831b1ea06d90ea9
SHA256f5173c83e6f8e2e86405a7f891ae179faa4009fd05a28815ddf6f2466845e90e
SHA512255a0742eae75237659e048b3820ca3e2caed3a3bf5e4053491770b660124b0a8d962dcb5b794d766ea32ca02826a5888f42f81a8a022533835ed9cebf8fb845