Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2025-01-28...ab.exe

windows7-x64

6

2025-01-28...ab.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    92s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/01/2025, 14:26 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-28_319fd0734d2786f17ca1e25b4eaac5f4_gandcrab.exe

  • Size

    70KB

  • MD5

    319fd0734d2786f17ca1e25b4eaac5f4

  • SHA1

    3b28ef659164bade6e78ea0ca52b7e228e31dfe0

  • SHA256

    ea3f94993dbc547760a45fb3ad70b8174b0a3ab4713be6d851cdfdc27910f544

  • SHA512

    6d5cdc7207bdf58666c30f44b46718429e9bb60147a14be7d561be19dcc5e45a7ee5f86e28e92136819d8b832d690d2acce4cddd615c2ae35aa0d691f9bb519a

  • SSDEEP

    1536:OZZZZZZZZZZZZpXzzzzzzzzzzzzADypczUk+lkZJngWMqqU+2bbbAV2/S2OvvdZl:td5BJHMqqDL2/Ovvdr

Score
6/10
discoverypersistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-28_319fd0734d2786f17ca1e25b4eaac5f4_gandcrab.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-28_319fd0734d2786f17ca1e25b4eaac5f4_gandcrab.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    PID:3124

Network

  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    11.153.16.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.153.16.2.in-addr.arpa
    IN PTR
    Response
    11.153.16.2.in-addr.arpa
    IN PTR
    a2-16-153-11deploystaticakamaitechnologiescom
  • flag-us
    DNS
    ipv4bot.whatismyipaddress.com
    2025-01-28_319fd0734d2786f17ca1e25b4eaac5f4_gandcrab.exe
    Remote address:
    8.8.8.8:53
    Request
    ipv4bot.whatismyipaddress.com
    IN A
    Response
  • flag-us
    DNS
    71.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    167.173.78.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    167.173.78.104.in-addr.arpa
    IN PTR
    Response
    167.173.78.104.in-addr.arpa
    IN PTR
    a104-78-173-167deploystaticakamaitechnologiescom
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    11.153.16.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    11.153.16.2.in-addr.arpa

  • 8.8.8.8:53
    ipv4bot.whatismyipaddress.com
    dns
    2025-01-28_319fd0734d2786f17ca1e25b4eaac5f4_gandcrab.exe
    75 B
     134 B
     1
    1

    DNS Request

    ipv4bot.whatismyipaddress.com

  • 8.8.8.8:53
    71.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    71.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    167.173.78.104.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    167.173.78.104.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.