Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    810s
  • max time network
    432s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/02/2025, 16:48

General

  • Target

    Urgent Contract Action.pdf.exe

  • Size

    431KB

  • MD5

    fbbdc39af1139aebba4da004475e8839

  • SHA1

    de5c8d858e6e41da715dca1c019df0bfb92d32c0

  • SHA256

    630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

  • SHA512

    74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

  • SSDEEP

    12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63

Malware Config

Signatures

  • BadRabbit

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

  • Badrabbit family
  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

  • Mimikatz family
  • mimikatz is an open source tool to dump credentials on Windows 1 IoCs
  • Blocklisted process makes network request 5 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in Windows directory 15 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3280
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2628
      • C:\Windows\SysWOW64\cmd.exe
        /c schtasks /Delete /F /TN rhaegal
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2880
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Delete /F /TN rhaegal
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4460
      • C:\Windows\SysWOW64\cmd.exe
        /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3308956734 && exit"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2476
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3308956734 && exit"
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:4112
      • C:\Windows\SysWOW64\cmd.exe
        /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:07:00
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4524
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:07:00
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:3436
      • C:\Windows\8FDC.tmp
        "C:\Windows\8FDC.tmp" \\.\pipe\{D081F385-ACC6-4F0C-9C9D-505D75ADD9A5}
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:372
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2720
    • C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe"
      1⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2956
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
        2⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2436
    • C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe"
      1⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1968
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
        2⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1340
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\aria-debug-5000.log
      1⤵
        PID:3940
      • C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe"
        1⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4920
        • C:\Windows\SysWOW64\rundll32.exe
          C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
          2⤵
          • Loads dropped DLL
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3448
      • C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe"
        1⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4868
        • C:\Windows\SysWOW64\rundll32.exe
          C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
          2⤵
          • Loads dropped DLL
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:768
      • C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe"
        1⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3684
        • C:\Windows\SysWOW64\rundll32.exe
          C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
          2⤵
          • Loads dropped DLL
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5112
      • C:\Windows\dispci.exe
        "C:\Windows\dispci.exe"
        1⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4000
        • C:\Windows\SysWOW64\cmd.exe
          /c schtasks /Delete /F /TN rhaegal
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5100
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Delete /F /TN rhaegal
            3⤵
            • System Location Discovery: System Language Discovery
            PID:1172

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\8FDC.tmp

        Filesize

        60KB

        MD5

        347ac3b6b791054de3e5720a7144a977

        SHA1

        413eba3973a15c1a6429d9f170f3e8287f98c21c

        SHA256

        301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

        SHA512

        9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

      • C:\Windows\dispci.exe

        Filesize

        139KB

        MD5

        b14d8faf7f0cbcfad051cefe5f39645f

        SHA1

        afeee8b4acff87bc469a6f0364a81ae5d60a2add

        SHA256

        8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93

        SHA512

        f5dcbf3634aedfe5b8d6255e20015555343add5b1be3801e62a5987e86a3e52495b5ce3156e4f63cf095d0cedfb63939eaf39bea379ccac82a10a4182b8ded22

      • C:\Windows\infpub.dat

        Filesize

        401KB

        MD5

        1d724f95c61f1055f0d02c2154bbccd3

        SHA1

        79116fe99f2b421c52ef64097f0f39b815b20907

        SHA256

        579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

        SHA512

        f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

      • C:\Windows\infpub.dat

        Filesize

        401KB

        MD5

        c4f26ed277b51ef45fa180be597d96e8

        SHA1

        e9efc622924fb965d4a14bdb6223834d9a9007e7

        SHA256

        14d82a676b63ab046ae94fa5e41f9f69a65dc7946826cb3d74cea6c030c2f958

        SHA512

        afc2a8466f106e81d423065b07aed2529cbf690ab4c3e019334f1bedfb42dc0e0957be83d860a84b7285bd49285503bfe95a1cf571a678dbc9bdb07789da928e

      • memory/768-97-0x0000000002B10000-0x0000000002B78000-memory.dmp

        Filesize

        416KB

      • memory/768-105-0x0000000002B10000-0x0000000002B78000-memory.dmp

        Filesize

        416KB

      • memory/1340-67-0x00000000021F0000-0x0000000002258000-memory.dmp

        Filesize

        416KB

      • memory/1340-75-0x00000000021F0000-0x0000000002258000-memory.dmp

        Filesize

        416KB

      • memory/2436-55-0x0000000002CF0000-0x0000000002D58000-memory.dmp

        Filesize

        416KB

      • memory/2436-63-0x0000000002CF0000-0x0000000002D58000-memory.dmp

        Filesize

        416KB

      • memory/2628-15-0x0000000002770000-0x00000000027D8000-memory.dmp

        Filesize

        416KB

      • memory/2628-11-0x0000000002770000-0x00000000027D8000-memory.dmp

        Filesize

        416KB

      • memory/2628-3-0x0000000002770000-0x00000000027D8000-memory.dmp

        Filesize

        416KB

      • memory/3448-85-0x0000000002FE0000-0x0000000003048000-memory.dmp

        Filesize

        416KB

      • memory/3448-93-0x0000000002FE0000-0x0000000003048000-memory.dmp

        Filesize

        416KB

      • memory/5112-109-0x0000000002490000-0x00000000024F8000-memory.dmp

        Filesize

        416KB