Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/01/2025, 13:41
Static task
static1
Behavioral task
behavioral1
Sample
10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe
Resource
win10v2004-20241007-en
General
-
Target
10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe
-
Size
550KB
-
MD5
1ac6567d7ffb565fe0564093d5edbf00
-
SHA1
4a29a6c735a40b6662a3fbf7c50c9fdadc68e141
-
SHA256
10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1
-
SHA512
c47ed1d72d673ad2c3c0e5454a878480d158760b281413a618eb7dc8a76ae33325703acf38e342c07923625be6b493b3ba75fb10c4d4431c2dd09b58df924222
-
SSDEEP
6144:+VfptYpsqBfiuMFbkLbf+76uWx3YTGUpa7WC34QKQt9mmg3VB0qg8:usiLu6P7Q3sGUvQK2gdby8
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_7B2A6_README_.hta
cerber
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Cerber family
-
Contacts a large (588) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe -
Drops startup file 1 IoCs
description ioc Process File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\word\startup\ 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpA894.bmp" 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe -
Drops file in Program Files directory 20 IoCs
description ioc Process File opened for modification \??\c:\program files (x86)\microsoft sql server 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe File opened for modification \??\c:\program files (x86)\microsoft\word 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe File opened for modification \??\c:\program files (x86)\onenote 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe File opened for modification \??\c:\program files\ 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe File opened for modification \??\c:\program files (x86)\ 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe File opened for modification \??\c:\program files (x86)\powerpoint 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe File opened for modification \??\c:\program files (x86)\steam 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe File opened for modification \??\c:\program files (x86)\microsoft\onenote 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe File opened for modification \??\c:\program files (x86)\microsoft\outlook 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe File opened for modification \??\c:\program files (x86)\office 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe File opened for modification \??\c:\program files (x86)\outlook 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe File opened for modification \??\c:\program files (x86)\the bat! 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe File opened for modification \??\c:\program files (x86)\thunderbird 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe File opened for modification \??\c:\program files (x86)\word 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe File opened for modification \??\c:\program files (x86)\excel 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe File opened for modification \??\c:\program files (x86)\microsoft\office 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe File opened for modification \??\c:\program files (x86)\microsoft\microsoft sql server 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe File opened for modification \??\c:\program files (x86)\microsoft\powerpoint 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe File opened for modification \??\c:\program files (x86)\bitcoin 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe File opened for modification \??\c:\program files (x86)\microsoft\excel 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification \??\c:\windows\ 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2668 PING.EXE -
Kills process with taskkill 1 IoCs
pid Process 4644 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2668 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3096 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe 3096 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeShutdownPrivilege 3096 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe Token: SeCreatePagefilePrivilege 3096 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe Token: 33 3636 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3636 AUDIODG.EXE Token: SeDebugPrivilege 4644 taskkill.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3096 wrote to memory of 2124 3096 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe 87 PID 3096 wrote to memory of 2124 3096 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe 87 PID 3096 wrote to memory of 2124 3096 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe 87 PID 3096 wrote to memory of 3348 3096 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe 96 PID 3096 wrote to memory of 3348 3096 10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe 96 PID 3348 wrote to memory of 4644 3348 cmd.exe 98 PID 3348 wrote to memory of 4644 3348 cmd.exe 98 PID 3348 wrote to memory of 2668 3348 cmd.exe 99 PID 3348 wrote to memory of 2668 3348 cmd.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe"C:\Users\Admin\AppData\Local\Temp\10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe"1⤵
- Checks computer location settings
- Drops startup file
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_W8UC7VE_README_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- System Location Discovery: System Language Discovery
PID:2124
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\system32\taskkill.exetaskkill /f /im "10249c5098fc904195cc93885fd69c523b1b8c05159f95018e2e1a23c06ca8b1N.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4644
-
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2668
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4e0 0x4e81⤵
- Suspicious use of AdjustPrivilegeToken
PID:3636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5a67442bc88bf0c3d043f3213d31224af
SHA1ff47271f91110f46ba79197954224048b7f52a5e
SHA256e82ff7ad707aa90ad116e403ab25400c1150d1da334984e58e630281efbf1c36
SHA512e136aeacc8b818249166f45013e07cc731fbab579e548c81e7a2724c51f8f83d378d727bd2b68264ab71f6c066890a1ddd84a7a726c1bf8cce33c49845062fb4
-
Filesize
150KB
MD51493462a1876962d870d448f9cf693f0
SHA166cd072ad43316dc861463eae93b8c722f815906
SHA25608c2068e75b579259672114ce04af3545d98aae288305edb3aec82e8655242a0
SHA5123773aeb63cfe06191ff89d90d05ef9bb6cab97733cf74df25f5815bc5bf3559aef35211434ac280ff9c2fd033a8b6e485994ffb10ffec918e285bf9a5a390235