Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
810s -
max time network
432s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
02/02/2025, 16:48
Static task
static1
Behavioral task
behavioral1
Sample
Urgent Contract Action.pdf.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Urgent Contract Action.pdf.exe
Resource
win10v2004-20250129-en
General
-
Target
Urgent Contract Action.pdf.exe
-
Size
431KB
-
MD5
fbbdc39af1139aebba4da004475e8839
-
SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0
-
SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
-
SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
SSDEEP
12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Badrabbit family
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Mimikatz family
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
resource yara_rule behavioral2/files/0x001b0000000162a8-20.dat mimikatz -
Blocklisted process makes network request 5 IoCs
flow pid Process 222 2628 rundll32.exe 234 2628 rundll32.exe 245 2628 rundll32.exe 257 2628 rundll32.exe 268 2628 rundll32.exe -
Executes dropped EXE 2 IoCs
pid Process 372 8FDC.tmp 4000 dispci.exe -
Loads dropped DLL 6 IoCs
pid Process 2628 rundll32.exe 2436 rundll32.exe 1340 rundll32.exe 3448 rundll32.exe 768 rundll32.exe 5112 rundll32.exe -
Drops file in Windows directory 15 IoCs
description ioc Process File opened for modification C:\Windows\infpub.dat rundll32.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\infpub.dat Urgent Contract Action.pdf.exe File created C:\Windows\infpub.dat Urgent Contract Action.pdf.exe File created C:\Windows\dispci.exe rundll32.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File opened for modification C:\Windows\8FDC.tmp rundll32.exe File created C:\Windows\infpub.dat Urgent Contract Action.pdf.exe File created C:\Windows\infpub.dat Urgent Contract Action.pdf.exe File created C:\Windows\infpub.dat Urgent Contract Action.pdf.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\infpub.dat Urgent Contract Action.pdf.exe File opened for modification C:\Windows\infpub.dat rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 21 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dispci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Urgent Contract Action.pdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Urgent Contract Action.pdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Urgent Contract Action.pdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Urgent Contract Action.pdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Urgent Contract Action.pdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Urgent Contract Action.pdf.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3436 schtasks.exe 4112 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 2628 rundll32.exe 2628 rundll32.exe 2628 rundll32.exe 2628 rundll32.exe 372 8FDC.tmp 372 8FDC.tmp 372 8FDC.tmp 372 8FDC.tmp 372 8FDC.tmp 372 8FDC.tmp 2436 rundll32.exe 2436 rundll32.exe 1340 rundll32.exe 1340 rundll32.exe 3448 rundll32.exe 3448 rundll32.exe 768 rundll32.exe 768 rundll32.exe 5112 rundll32.exe 5112 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeShutdownPrivilege 2628 rundll32.exe Token: SeDebugPrivilege 2628 rundll32.exe Token: SeTcbPrivilege 2628 rundll32.exe Token: SeDebugPrivilege 372 8FDC.tmp Token: SeShutdownPrivilege 2436 rundll32.exe Token: SeDebugPrivilege 2436 rundll32.exe Token: SeTcbPrivilege 2436 rundll32.exe Token: SeShutdownPrivilege 1340 rundll32.exe Token: SeDebugPrivilege 1340 rundll32.exe Token: SeTcbPrivilege 1340 rundll32.exe Token: SeShutdownPrivilege 3448 rundll32.exe Token: SeDebugPrivilege 3448 rundll32.exe Token: SeTcbPrivilege 3448 rundll32.exe Token: SeShutdownPrivilege 768 rundll32.exe Token: SeDebugPrivilege 768 rundll32.exe Token: SeTcbPrivilege 768 rundll32.exe Token: SeShutdownPrivilege 5112 rundll32.exe Token: SeDebugPrivilege 5112 rundll32.exe Token: SeTcbPrivilege 5112 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4000 dispci.exe 4000 dispci.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 3280 wrote to memory of 2628 3280 Urgent Contract Action.pdf.exe 84 PID 3280 wrote to memory of 2628 3280 Urgent Contract Action.pdf.exe 84 PID 3280 wrote to memory of 2628 3280 Urgent Contract Action.pdf.exe 84 PID 2628 wrote to memory of 2880 2628 rundll32.exe 87 PID 2628 wrote to memory of 2880 2628 rundll32.exe 87 PID 2628 wrote to memory of 2880 2628 rundll32.exe 87 PID 2880 wrote to memory of 4460 2880 cmd.exe 89 PID 2880 wrote to memory of 4460 2880 cmd.exe 89 PID 2880 wrote to memory of 4460 2880 cmd.exe 89 PID 2628 wrote to memory of 2476 2628 rundll32.exe 93 PID 2628 wrote to memory of 2476 2628 rundll32.exe 93 PID 2628 wrote to memory of 2476 2628 rundll32.exe 93 PID 2476 wrote to memory of 4112 2476 cmd.exe 95 PID 2476 wrote to memory of 4112 2476 cmd.exe 95 PID 2476 wrote to memory of 4112 2476 cmd.exe 95 PID 2628 wrote to memory of 4524 2628 rundll32.exe 96 PID 2628 wrote to memory of 4524 2628 rundll32.exe 96 PID 2628 wrote to memory of 4524 2628 rundll32.exe 96 PID 2628 wrote to memory of 372 2628 rundll32.exe 97 PID 2628 wrote to memory of 372 2628 rundll32.exe 97 PID 4524 wrote to memory of 3436 4524 cmd.exe 100 PID 4524 wrote to memory of 3436 4524 cmd.exe 100 PID 4524 wrote to memory of 3436 4524 cmd.exe 100 PID 2956 wrote to memory of 2436 2956 Urgent Contract Action.pdf.exe 116 PID 2956 wrote to memory of 2436 2956 Urgent Contract Action.pdf.exe 116 PID 2956 wrote to memory of 2436 2956 Urgent Contract Action.pdf.exe 116 PID 1968 wrote to memory of 1340 1968 Urgent Contract Action.pdf.exe 119 PID 1968 wrote to memory of 1340 1968 Urgent Contract Action.pdf.exe 119 PID 1968 wrote to memory of 1340 1968 Urgent Contract Action.pdf.exe 119 PID 4920 wrote to memory of 3448 4920 Urgent Contract Action.pdf.exe 123 PID 4920 wrote to memory of 3448 4920 Urgent Contract Action.pdf.exe 123 PID 4920 wrote to memory of 3448 4920 Urgent Contract Action.pdf.exe 123 PID 4868 wrote to memory of 768 4868 Urgent Contract Action.pdf.exe 126 PID 4868 wrote to memory of 768 4868 Urgent Contract Action.pdf.exe 126 PID 4868 wrote to memory of 768 4868 Urgent Contract Action.pdf.exe 126 PID 3684 wrote to memory of 5112 3684 Urgent Contract Action.pdf.exe 129 PID 3684 wrote to memory of 5112 3684 Urgent Contract Action.pdf.exe 129 PID 3684 wrote to memory of 5112 3684 Urgent Contract Action.pdf.exe 129 PID 4000 wrote to memory of 5100 4000 dispci.exe 134 PID 4000 wrote to memory of 5100 4000 dispci.exe 134 PID 4000 wrote to memory of 5100 4000 dispci.exe 134 PID 5100 wrote to memory of 1172 5100 cmd.exe 136 PID 5100 wrote to memory of 1172 5100 cmd.exe 136 PID 5100 wrote to memory of 1172 5100 cmd.exe 136
Processes
-
C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵
- System Location Discovery: System Language Discovery
PID:4460
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3308956734 && exit"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3308956734 && exit"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4112
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:07:003⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:07:004⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3436
-
-
-
C:\Windows\8FDC.tmp"C:\Windows\8FDC.tmp" \\.\pipe\{D081F385-ACC6-4F0C-9C9D-505D75ADD9A5}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:372
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2720
-
C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436
-
-
C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1340
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\aria-debug-5000.log1⤵PID:3940
-
C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3448
-
-
C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:768
-
-
C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5112
-
-
C:\Windows\dispci.exe"C:\Windows\dispci.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal3⤵
- System Location Discovery: System Language Discovery
PID:1172
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
139KB
MD5b14d8faf7f0cbcfad051cefe5f39645f
SHA1afeee8b4acff87bc469a6f0364a81ae5d60a2add
SHA2568ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93
SHA512f5dcbf3634aedfe5b8d6255e20015555343add5b1be3801e62a5987e86a3e52495b5ce3156e4f63cf095d0cedfb63939eaf39bea379ccac82a10a4182b8ded22
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113
-
Filesize
401KB
MD5c4f26ed277b51ef45fa180be597d96e8
SHA1e9efc622924fb965d4a14bdb6223834d9a9007e7
SHA25614d82a676b63ab046ae94fa5e41f9f69a65dc7946826cb3d74cea6c030c2f958
SHA512afc2a8466f106e81d423065b07aed2529cbf690ab4c3e019334f1bedfb42dc0e0957be83d860a84b7285bd49285503bfe95a1cf571a678dbc9bdb07789da928e