Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

2024-11-21...re.exe

windows7-x64

10

2024-11-21...re.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    21/11/2024, 02:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-11-21_46e0d77fd57690bbab3c8ded7015a79a_bkransomware.exe

  • Size

    1.4MB

  • MD5

    46e0d77fd57690bbab3c8ded7015a79a

  • SHA1

    d4b8df6b54c0eb7fdb344d75766a1a71ee74796b

  • SHA256

    7142feb70d6d709c2c6e1ad58a1c69f5348e30d3e5b7154847a7fa4fcc4aab61

  • SHA512

    ba0b8607617bfca14641ae5781a6cd161d31f83989a42b903f63db886a341f9cb96a219b790938ad68848e3436d1d3ed558f30ec605135d297417a7c70f0e37e

  • SSDEEP

    24576:E301J529+RipvL1SXk1QE1RGOTnIEQc4au9NgxnHNn/fI4Ca7:EEI9+ApwXk1QE1RzsEQPaxHNXfZ

Score
10/10
discoveryevasion

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-21_46e0d77fd57690bbab3c8ded7015a79a_bkransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-21_46e0d77fd57690bbab3c8ded7015a79a_bkransomware.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2688

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Java\jdk1.7.0_80\README.html
    Filesize

    136B

    MD5

    1ca562aea2a0b9b55f6bf262d4ae62a9

    SHA1

    723e523d85be40d8dfa4e0138d4496f7ee29e6d7

    SHA256

    b55311d568626d5fd1d74b290f87d649d23260b25a2a4c6e73fbeb0f9462d6da

    SHA512

    ecf59c6de6402010acd366e928819df05152b633ce50470f93679870d490bf5b2d3ad2b3eb78d46518dfd5b2ac941c0babcb485e546c469080a4baba03ab685d

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html
    Filesize

    921B

    MD5

    35dea6961c1f36a7a98d76b7650ae6f1

    SHA1

    4d8521213d41aa30035a1559843cb2d2bc1ec8e4

    SHA256

    acf9d9bf216c3e117801276a1a656ca0b2db58065f3db3fb029b594a67d7be76

    SHA512

    65971bf7a85b2beb9c7758f9a02229de0def1752bea285ec9774843eec694da8a15392c25d9cc449fab37dbb1a53edfadd0222c6c6dd182d8ac8a4a9db217d73

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    620b708f2bd2d493c94dea9f76329366

    SHA1

    47be9fdc5524ed992b6ec95e093f786b20993ceb

    SHA256

    588492a8584b2358a0d450753442807bb83a31771f80c180837a9ac2afff9018

    SHA512

    8951fb209b57ce0f64f0cb8782b7c8b0e7780da104868ba1bac8eeb8a52ba397f1b21f6089bb689788606d1cd166bb94975d7c4861993217950885bb1cde384f

    Download Submit

  • C:\RCXEBC7.tmp
    Filesize

    69KB

    MD5

    8ba404e90194c38541e324657e72f74c

    SHA1

    ad9fda28f95b7747579a7fbb8a18e1d1e6311a49

    SHA256

    8145e4c62390f9c55343cc6dadb790dc2cb9463c4f578fa57bf43f12c4720340

    SHA512

    1f594ebb6b970c9cb86b97d642351106a52db407c6e90db7391b50e97a1136e5ba13aeec66c9b985192c377d8c5c70d3746a00f37bcc83855fea316cf8d82362

    Download Submit

  • C:\autorun.inf
    Filesize

    126B

    MD5

    163e20cbccefcdd42f46e43a94173c46

    SHA1

    4c7b5048e8608e2a75799e00ecf1bbb4773279ae

    SHA256

    7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

    SHA512

    e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

    Download Submit

  • C:\vcredist2010_x64.log-MSI_vc_red.msi.txt
    Filesize

    362KB

    MD5

    76929568cf8c1933cd09948c00dd82cf

    SHA1

    01c3787cf4327c62f007aa5e56366146b81cfe1f

    SHA256

    f8e94bb648cf7444a04030eb3047d989770519e00c5bea8425e21f1bc6d73385

    SHA512

    bd8b043278b095bed4157abda1f9971cf7a49bf13ba36b0da207cef65a5e2c7e714034c946b8292333000f5172460c01a3ecf18e4f0da3f2852a4ba49d08cf4e

    Download Submit

  • C:\vcredist2010_x64.log.html
    Filesize

    85KB

    MD5

    8704e57196ee942ead971c51cc731205

    SHA1

    b16cc80a5b2d2e9b100302cd82cb0487b9d417cc

    SHA256

    7eb46b8be1dfc37d30dd0c75157676ce0709f8c1736f470d37047955c7c04c79

    SHA512

    62c5ecbb6a7f5a30cc3f877ae7a2e51ed8f58555c388629d7e10b37bfa4c61959045e7d758a0dd7a2b8950d290e10db20ca80ea6e5ffb92b7f07185b3699a8d2

    Download Submit

  • C:\vcredist2010_x86.log-MSI_vc_red.msi.txt
    Filesize

    379KB

    MD5

    1f82906b3d490bedd362afb128652034

    SHA1

    636b00a9e6a4c40b009eb41f1d749126977ed94d

    SHA256

    2f84af725159c211afb140cffa27925f3d0d45e7dd23e12d25e8e75ddde0e005

    SHA512

    496fe2c25c4d5ef3bcf332df758d432d17865ae2594a37185d5e53491399917ab89760ccc9e636efbff836417997e7cf7408122cb17688ecb4c58ec27a60ad71

    Download Submit

  • C:\zPharaoh.exe
    Filesize

    149KB

    MD5

    e039223934ac5f5e5bdd42d17c220b38

    SHA1

    652556e6a2196196e49def730db16ffdd9ca3291

    SHA256

    895097778b0217d11775c14d04f7a122e97288bca418ed52427aaf42c4924728

    SHA512

    c7693c5bc4193292a4a54af8fba4c999f297ffdc17d22a5ffa3b87f77cb02ca8a685d039f3872d51307cf1d7520da90f4206a01c35f828ee701b0fb8dfb9a991

    Download Submit

  • F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\S-1-5-21-3551809350-4263495960-1443967649-1000 .exe
    Filesize

    149KB

    MD5

    589dab1ed770eab54a1a57017f8ea10f

    SHA1

    299fab1648530792990af734ce834dc1111129e8

    SHA256

    d3f76ceb73e8956593a2023bb9d515406974b8cf515a49217190277717537c2d

    SHA512

    2705abe2bb0eb7c45dffaf8eb69088141ec0bfbf69fca2a39a1119dba1231e188b3f3ccaba131f3b0d52bd107053fc852687c3106dc9871ca803b74095e66066

    Download Submit

  • F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\WinrRarSerialInstall.exe
    Filesize

    149KB

    MD5

    8baf13cf2cf4176a2f7b8410a3451bcd

    SHA1

    21c25bc72d180882ebe99bee73c56bc935ecab39

    SHA256

    460481e3c143a1e621b012d5866d2e2abb7adb55648a67f602ece419bf4d09b3

    SHA512

    0d95929bc7a2378af5ea6b80d942d22a9c09b0a09b709e0b4202584f92ba463b30bd8db540526cf553782cb3bcbb27c0b073fca65b1a9f3dc1145c699b9a6369

    Download Submit

  • F:\zPharaoh.exe
    Filesize

    149KB

    MD5

    1cb3d062936927d4f5df76f652cf8062

    SHA1

    15bd2c5a3d0d3a472c81e048384019a2aae0629e

    SHA256

    aa741b7787231b3de7ebf92284c31ebf4a5610e27457fdf99afd774fe86a89ab

    SHA512

    b3cf4a31d4a00b887592d202d91d2f8b6dc6d1b9aa62d7fbf43720e7df1681dba8c02725232c52a40d851ec171b380bbfba98b62e177282b8a381755c6042b34

    Download Submit

  • \Users\tazebama.dl_
    Filesize

    149KB

    MD5

    2371fabd6555639e975c8b8a55f35643

    SHA1

    a642897675426cdf7d1f894657c1d4b3fbd08639

    SHA256

    900e6fc908e863f67af32e7d5915f14584ca6c48714a53d7b123ca1a21ee111a

    SHA512

    15c0c24d2e1e79339cbb8b030bcaa16be5c28b0e4f0bd43191f3bbf560defcf5b0d231587e52857b86126bdc5c50877ac2d7d4e2ec7969c520def32b78e58ff8

    Download Submit

  • \Users\tazebama.dll
    Filesize

    32KB

    MD5

    b6a03576e595afacb37ada2f1d5a0529

    SHA1

    d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

    SHA256

    1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

    SHA512

    181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

    Download Submit

  • memory/1904-12-0x0000000000250000-0x0000000000266000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1904-14-0x0000000000400000-0x000000000054B000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1904-13-0x0000000000416000-0x0000000000422000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1904-7-0x0000000000250000-0x0000000000266000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1904-1-0x0000000000400000-0x000000000054B000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1904-493-0x0000000000400000-0x000000000054B000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2688-16-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2688-918-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download