Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/01/2025, 23:21 UTC

General

  • Target

    2025-01-27_29a63ecd7dbdab7857155d9eefd051d5_gandcrab.exe

  • Size

    70KB

  • MD5

    29a63ecd7dbdab7857155d9eefd051d5

  • SHA1

    6a3b6c3e98447f3c7bdd919babb0d6f34d289b62

  • SHA256

    7072800bcc759e9c4b7e70abbaa7974dd28a9e25c9e7fb1c8c55a21d398187e6

  • SHA512

    d1e202117c5ebe9312b182c96323025ed3d2e6c157a572453e28c12cecdb664f73236de8289dc7e54c1ff5d2f98b74db782fc2b45accb00a821e82ab6a5e8439

  • SSDEEP

    1536:XZZZZZZZZZZZZpXzzzzzzzzzzzzADypczUk+lkZJngWMqqU+2bbbAV2/S2OvvdZM:+d5BJHMqqDL2/Ovvdr+

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-27_29a63ecd7dbdab7857155d9eefd051d5_gandcrab.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-27_29a63ecd7dbdab7857155d9eefd051d5_gandcrab.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1548
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 512
      2⤵
      • Program crash
      PID:1964

Network

  • flag-us
    DNS
    ipv4bot.whatismyipaddress.com
    2025-01-27_29a63ecd7dbdab7857155d9eefd051d5_gandcrab.exe
    Remote address:
    8.8.8.8:53
    Request
    ipv4bot.whatismyipaddress.com
    IN A
    Response
No results found
  • 8.8.8.8:53
    ipv4bot.whatismyipaddress.com
    dns
    2025-01-27_29a63ecd7dbdab7857155d9eefd051d5_gandcrab.exe
    75 B
    134 B
    1
    1

    DNS Request

    ipv4bot.whatismyipaddress.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.