Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2025-01-28...ab.exe

windows7-x64

2025-01-28...ab.exe

windows10-2004-x64

2025-01-28...ab.exe

windows10-ltsc 2021-x64

2025-01-28...ab.exe

windows11-21h2-x64

Resubmissions

28/01/2025, 13:29

250128-qrd8kazmg1 10

28/01/2025, 13:24

250128-qnpvwszlh1 10

Analysis

  • max time kernel
    226s
  • max time network
    235s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250128-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    28/01/2025, 13:29

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    2025-01-28_30d22f047fc4f1f9f287f7cfb34a5a74_gandcrab.exe

  • Size

    70KB

  • MD5

    30d22f047fc4f1f9f287f7cfb34a5a74

  • SHA1

    611a127953b7898cb24d6e4b981fefd48a03e905

  • SHA256

    e1453edb74729a33c8219bcf018f1718d5461294c989b60bc090d6bc00451451

  • SHA512

    d91243d664f88dc22dd00e6383112aacf662b24230117e68dc166f43d0409cc4e118681b1e35ff5931d4ab384a738722df0933409a5087a5b367d1d92d1b8864

  • SSDEEP

    1536:XZZZZZZZZZZZZpXzzzzzzzzzzzzADypczUk+lkZJngWMqqU+2bbbAV2/S2OvvdZl:+d5BJHMqqDL2/Ovvdr

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 36 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 2 IoCs
    defense_evasion
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of FindShellTrayWindow 20 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-28_30d22f047fc4f1f9f287f7cfb34a5a74_gandcrab.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-28_30d22f047fc4f1f9f287f7cfb34a5a74_gandcrab.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    PID:2392
  • C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1420
    • C:\Windows\system32\csrss.exe
      csrss.exe
      2⤵
        PID:800
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im wininit.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5052
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im explorer.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:832
      • C:\Windows\explorer.exe
        explorer.exe
        2⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2884
      • C:\Windows\system32\shutdown.exe
        shutdown /s /t 1
        2⤵
          PID:544
      • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
        "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:3112
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:1904
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:4316
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
          PID:4856
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
            PID:776
          • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
            "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
            1⤵
              PID:4140
            • C:\Windows\system32\LogonUI.exe
              "LogonUI.exe" /flags:0x4 /state0:0xa3a29855 /state1:0x41c64e6d
              1⤵
                PID:4248

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin
                Filesize

                220KB

                MD5

                49f0544839f2c3eac50e88d1b9bb6104

                SHA1

                1851c916bf2623cb87d620f37a7b9d916ba70787

                SHA256

                f87029b03338863e1506e149b81ae7b7b7dc4cbfdf867fdf55115673f7d4f8d3

                SHA512

                6922931ec2b89d39ada2a9fb82bb27a542bde39153b6056fe2820ecb6113353a98e872d5a52d0649ffd68472ddcca4858ee2ebada875830a03ab6c54c128ad53

                Download Submit

              • memory/776-7-0x000001FDA6400000-0x000001FDA6500000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/776-41-0x000001FDA7520000-0x000001FDA7540000-memory.dmp

                Filesize

                128KB

                Download

              • memory/776-39-0x000001FDA7540000-0x000001FDA7560000-memory.dmp

                Filesize

                128KB

                Download

              • memory/776-23-0x000001FDA7500000-0x000001FDA7520000-memory.dmp

                Filesize

                128KB

                Download

              • memory/776-55-0x000001FDB9C80000-0x000001FDB9D80000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/4316-5-0x0000000002960000-0x0000000002961000-memory.dmp

                Filesize

                4KB

                Download