Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    17/01/2025, 16:14

General

  • Target

    21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe

  • Size

    240KB

  • MD5

    fb1caeec84e0c4438963ce0fb133278d

  • SHA1

    2884cf44f8241a427a61ab7c54842e78a8b5b609

  • SHA256

    21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706

  • SHA512

    c55e0b640d3601f2b4d897599619796153e7007bdbd64a8455fd035ad787870bf2b8bde68a15dec40a4a24c0be8fc97790d125f9ab56b05ee3001679982ef997

  • SSDEEP

    6144:0haKwdeU7LyrC6pnv445VEXs5kzlu/e7QCsXqB:0hydeUvEpbQsx/eMvqB

Malware Config

Signatures

  • GandCrab payload 4 IoCs
  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

  • Gandcrab family
  • Unexpected DNS network traffic destination 64 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe
    "C:\Users\Admin\AppData\Local\Temp\21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup carder.bit ns1.wowservers.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:612
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns2.wowservers.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1544
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup carder.bit ns2.wowservers.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2068
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns1.wowservers.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:536
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup carder.bit ns1.wowservers.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1764
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns2.wowservers.ru
      2⤵
        PID:2312
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup carder.bit ns2.wowservers.ru
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2620
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup ransomware.bit ns1.wowservers.ru
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2380
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup carder.bit ns1.wowservers.ru
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1776
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup ransomware.bit ns2.wowservers.ru
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1592
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup carder.bit ns2.wowservers.ru
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1608
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup ransomware.bit ns1.wowservers.ru
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2792
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup carder.bit ns1.wowservers.ru
        2⤵
        • System Location Discovery: System Language Discovery
        PID:3036
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup ransomware.bit ns2.wowservers.ru
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1916
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup carder.bit ns2.wowservers.ru
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1908
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup ransomware.bit ns1.wowservers.ru
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2948
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup carder.bit ns1.wowservers.ru
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2808
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup ransomware.bit ns2.wowservers.ru
        2⤵
        • System Location Discovery: System Language Discovery
        PID:580
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup carder.bit ns2.wowservers.ru
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2812
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup ransomware.bit ns1.wowservers.ru
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2856
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup carder.bit ns1.wowservers.ru
        2⤵
          PID:2820
        • C:\Windows\SysWOW64\nslookup.exe
          nslookup ransomware.bit ns2.wowservers.ru
          2⤵
          • System Location Discovery: System Language Discovery
          PID:2648
        • C:\Windows\SysWOW64\nslookup.exe
          nslookup carder.bit ns2.wowservers.ru
          2⤵
          • System Location Discovery: System Language Discovery
          PID:2772
        • C:\Windows\SysWOW64\nslookup.exe
          nslookup ransomware.bit ns1.wowservers.ru
          2⤵
          • System Location Discovery: System Language Discovery
          PID:2352
        • C:\Windows\SysWOW64\nslookup.exe
          nslookup carder.bit ns1.wowservers.ru
          2⤵
            PID:2712
          • C:\Windows\SysWOW64\nslookup.exe
            nslookup ransomware.bit ns2.wowservers.ru
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2172
          • C:\Windows\SysWOW64\nslookup.exe
            nslookup carder.bit ns2.wowservers.ru
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2428
          • C:\Windows\SysWOW64\nslookup.exe
            nslookup ransomware.bit ns1.wowservers.ru
            2⤵
              PID:2056
            • C:\Windows\SysWOW64\nslookup.exe
              nslookup carder.bit ns1.wowservers.ru
              2⤵
              • System Location Discovery: System Language Discovery
              PID:2880
            • C:\Windows\SysWOW64\nslookup.exe
              nslookup ransomware.bit ns2.wowservers.ru
              2⤵
              • System Location Discovery: System Language Discovery
              PID:628
            • C:\Windows\SysWOW64\nslookup.exe
              nslookup carder.bit ns2.wowservers.ru
              2⤵
                PID:944
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup ransomware.bit ns1.wowservers.ru
                2⤵
                • System Location Discovery: System Language Discovery
                PID:1740
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup carder.bit ns1.wowservers.ru
                2⤵
                • System Location Discovery: System Language Discovery
                PID:3020
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup ransomware.bit ns2.wowservers.ru
                2⤵
                • System Location Discovery: System Language Discovery
                PID:3064
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup carder.bit ns2.wowservers.ru
                2⤵
                • System Location Discovery: System Language Discovery
                PID:1732
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup ransomware.bit ns1.wowservers.ru
                2⤵
                • System Location Discovery: System Language Discovery
                PID:1508
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup carder.bit ns1.wowservers.ru
                2⤵
                  PID:2180
                • C:\Windows\SysWOW64\nslookup.exe
                  nslookup ransomware.bit ns2.wowservers.ru
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:2104
                • C:\Windows\SysWOW64\nslookup.exe
                  nslookup carder.bit ns2.wowservers.ru
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:2032
                • C:\Windows\SysWOW64\nslookup.exe
                  nslookup ransomware.bit ns1.wowservers.ru
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:1060
                • C:\Windows\SysWOW64\nslookup.exe
                  nslookup carder.bit ns1.wowservers.ru
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:1924
                • C:\Windows\SysWOW64\nslookup.exe
                  nslookup ransomware.bit ns2.wowservers.ru
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:1864
                • C:\Windows\SysWOW64\nslookup.exe
                  nslookup carder.bit ns2.wowservers.ru
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:1052
                • C:\Windows\SysWOW64\nslookup.exe
                  nslookup ransomware.bit ns1.wowservers.ru
                  2⤵
                    PID:1564
                  • C:\Windows\SysWOW64\nslookup.exe
                    nslookup carder.bit ns1.wowservers.ru
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:1548
                  • C:\Windows\SysWOW64\nslookup.exe
                    nslookup ransomware.bit ns2.wowservers.ru
                    2⤵
                      PID:2580
                    • C:\Windows\SysWOW64\nslookup.exe
                      nslookup carder.bit ns2.wowservers.ru
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:2884
                    • C:\Windows\SysWOW64\nslookup.exe
                      nslookup ransomware.bit ns1.wowservers.ru
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:1976
                    • C:\Windows\SysWOW64\nslookup.exe
                      nslookup carder.bit ns1.wowservers.ru
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:2476
                    • C:\Windows\SysWOW64\nslookup.exe
                      nslookup ransomware.bit ns2.wowservers.ru
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:352
                    • C:\Windows\SysWOW64\nslookup.exe
                      nslookup carder.bit ns2.wowservers.ru
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:856
                    • C:\Windows\SysWOW64\nslookup.exe
                      nslookup ransomware.bit ns1.wowservers.ru
                      2⤵
                        PID:2200
                      • C:\Windows\SysWOW64\nslookup.exe
                        nslookup carder.bit ns1.wowservers.ru
                        2⤵
                        • System Location Discovery: System Language Discovery
                        PID:1616
                      • C:\Windows\SysWOW64\nslookup.exe
                        nslookup ransomware.bit ns2.wowservers.ru
                        2⤵
                          PID:2036
                        • C:\Windows\SysWOW64\nslookup.exe
                          nslookup carder.bit ns2.wowservers.ru
                          2⤵
                          • System Location Discovery: System Language Discovery
                          PID:2436
                        • C:\Windows\SysWOW64\nslookup.exe
                          nslookup ransomware.bit ns1.wowservers.ru
                          2⤵
                          • System Location Discovery: System Language Discovery
                          PID:2228
                        • C:\Windows\SysWOW64\nslookup.exe
                          nslookup carder.bit ns1.wowservers.ru
                          2⤵
                          • System Location Discovery: System Language Discovery
                          PID:2944
                        • C:\Windows\SysWOW64\nslookup.exe
                          nslookup ransomware.bit ns2.wowservers.ru
                          2⤵
                          • System Location Discovery: System Language Discovery
                          PID:2804
                        • C:\Windows\SysWOW64\nslookup.exe
                          nslookup carder.bit ns2.wowservers.ru
                          2⤵
                          • System Location Discovery: System Language Discovery
                          PID:2940
                        • C:\Windows\SysWOW64\nslookup.exe
                          nslookup ransomware.bit ns1.wowservers.ru
                          2⤵
                          • System Location Discovery: System Language Discovery
                          PID:2680
                        • C:\Windows\SysWOW64\nslookup.exe
                          nslookup carder.bit ns1.wowservers.ru
                          2⤵
                            PID:2992
                          • C:\Windows\SysWOW64\nslookup.exe
                            nslookup ransomware.bit ns2.wowservers.ru
                            2⤵
                              PID:2904
                            • C:\Windows\SysWOW64\nslookup.exe
                              nslookup carder.bit ns2.wowservers.ru
                              2⤵
                              • System Location Discovery: System Language Discovery
                              PID:2656
                            • C:\Windows\SysWOW64\nslookup.exe
                              nslookup ransomware.bit ns1.wowservers.ru
                              2⤵
                                PID:2052
                              • C:\Windows\SysWOW64\nslookup.exe
                                nslookup carder.bit ns1.wowservers.ru
                                2⤵
                                • System Location Discovery: System Language Discovery
                                PID:1336
                              • C:\Windows\SysWOW64\nslookup.exe
                                nslookup ransomware.bit ns2.wowservers.ru
                                2⤵
                                  PID:2272
                                • C:\Windows\SysWOW64\nslookup.exe
                                  nslookup carder.bit ns2.wowservers.ru
                                  2⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:2284
                                • C:\Windows\SysWOW64\nslookup.exe
                                  nslookup ransomware.bit ns1.wowservers.ru
                                  2⤵
                                    PID:568
                                  • C:\Windows\SysWOW64\nslookup.exe
                                    nslookup carder.bit ns1.wowservers.ru
                                    2⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:436
                                  • C:\Windows\SysWOW64\nslookup.exe
                                    nslookup ransomware.bit ns2.wowservers.ru
                                    2⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:1072
                                  • C:\Windows\SysWOW64\nslookup.exe
                                    nslookup carder.bit ns2.wowservers.ru
                                    2⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:2852
                                  • C:\Windows\SysWOW64\nslookup.exe
                                    nslookup ransomware.bit ns1.wowservers.ru
                                    2⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:2264
                                  • C:\Windows\SysWOW64\nslookup.exe
                                    nslookup carder.bit ns1.wowservers.ru
                                    2⤵
                                      PID:608
                                    • C:\Windows\SysWOW64\nslookup.exe
                                      nslookup ransomware.bit ns2.wowservers.ru
                                      2⤵
                                        PID:2444
                                      • C:\Windows\SysWOW64\nslookup.exe
                                        nslookup carder.bit ns2.wowservers.ru
                                        2⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:348
                                      • C:\Windows\SysWOW64\nslookup.exe
                                        nslookup ransomware.bit ns1.wowservers.ru
                                        2⤵
                                          PID:2156
                                        • C:\Windows\SysWOW64\nslookup.exe
                                          nslookup carder.bit ns1.wowservers.ru
                                          2⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:2132
                                        • C:\Windows\SysWOW64\nslookup.exe
                                          nslookup ransomware.bit ns2.wowservers.ru
                                          2⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:2336
                                        • C:\Windows\SysWOW64\nslookup.exe
                                          nslookup carder.bit ns2.wowservers.ru
                                          2⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:448
                                        • C:\Windows\SysWOW64\nslookup.exe
                                          nslookup ransomware.bit ns1.wowservers.ru
                                          2⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:1192
                                        • C:\Windows\SysWOW64\nslookup.exe
                                          nslookup carder.bit ns1.wowservers.ru
                                          2⤵
                                            PID:812
                                          • C:\Windows\SysWOW64\nslookup.exe
                                            nslookup ransomware.bit ns2.wowservers.ru
                                            2⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:2000

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Windows\win.ini

                                          Filesize

                                          17KB

                                          MD5

                                          fc807cca56c0920e6c0e8036d22fbc61

                                          SHA1

                                          5d2189f4c501f40dfe09365e2242b0932263f043

                                          SHA256

                                          4e4aaff6eabcb85f2f4b5cd624073281b988c2c2605343cc06dcff08ef1baf1a

                                          SHA512

                                          cd002ba320c564d221779bb2da246affc3f17fb28e26266173a85ef480a1e486caf2fec4a17fe61841354cb1de3f0c8ad605f87f3851bae15a0515e657002a46

                                        • memory/2316-256-0x0000000000020000-0x000000000003B000-memory.dmp

                                          Filesize

                                          108KB

                                        • memory/2316-257-0x0000000000400000-0x000000000042C000-memory.dmp

                                          Filesize

                                          176KB

                                        • memory/2316-260-0x00000000002C0000-0x00000000002D7000-memory.dmp

                                          Filesize

                                          92KB

                                        • memory/2316-259-0x0000000000400000-0x000000000044D000-memory.dmp

                                          Filesize

                                          308KB

                                        • memory/2316-262-0x0000000000400000-0x000000000044D000-memory.dmp

                                          Filesize

                                          308KB

                                        • memory/2316-268-0x0000000000020000-0x000000000003B000-memory.dmp

                                          Filesize

                                          108KB

                                        • memory/2316-269-0x0000000000400000-0x000000000042C000-memory.dmp

                                          Filesize

                                          176KB