Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/01/2025, 16:14
Static task
static1
Behavioral task
behavioral1
Sample
21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe
Resource
win10v2004-20241007-en
General
-
Target
21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe
-
Size
240KB
-
MD5
fb1caeec84e0c4438963ce0fb133278d
-
SHA1
2884cf44f8241a427a61ab7c54842e78a8b5b609
-
SHA256
21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706
-
SHA512
c55e0b640d3601f2b4d897599619796153e7007bdbd64a8455fd035ad787870bf2b8bde68a15dec40a4a24c0be8fc97790d125f9ab56b05ee3001679982ef997
-
SSDEEP
6144:0haKwdeU7LyrC6pnv445VEXs5kzlu/e7QCsXqB:0hydeUvEpbQsx/eMvqB
Malware Config
Signatures
-
GandCrab payload 3 IoCs
resource yara_rule behavioral2/memory/4244-258-0x0000000000400000-0x000000000044D000-memory.dmp family_gandcrab behavioral2/memory/4244-259-0x00000000021F0000-0x0000000002207000-memory.dmp family_gandcrab behavioral2/memory/4244-264-0x0000000000400000-0x000000000042C000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Gandcrab family
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\win.ini 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2728 4244 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe"C:\Users\Admin\AppData\Local\Temp\21bc5877d08935468c28c7361a7c38c40f98ed1782af6ba49e1a916046ae5706.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4244 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 4602⤵
- Program crash
PID:2728
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4244 -ip 42441⤵PID:1324
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD596ddff88ff05b4479c8b56ab3b8e9ba2
SHA1ec9c9b2f219b6dbdf4049f186cb3aead49ede9c4
SHA2561868f3df26a07bd7efe335a86ef3cc47c775577f4d1df269b9992a4c8c290f02
SHA512e9ca074d6103c449489f916885562b8c379edf3c303ba01bf63df730b3cafe45a96e948ee5a4405a6f2d23a579d9c4ef6566cc17996c41560fe166586b29b92a