Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
64s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/02/2025, 06:09
Behavioral task
behavioral1
Sample
8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe
Resource
win10v2004-20250211-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe
-
Size
1.7MB
-
MD5
10403f08a869a83d5c8d81162b711453
-
SHA1
e3b54c2de169474f7d9f2adc89ab63fcdde8e7f3
-
SHA256
8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241
-
SHA512
05547bb0125e199f030403a158f10197d0ff882cc518534137313fa5d4a1e7c7b5886956d495e890e56e423986a9957ac434d5378bb2b05418b40a5a00b00d1e
-
SSDEEP
24576:uGA0AhSVzjJqVR/xmx0AsQ5r2jOGJTS8KmlI+u+68+DrAmh:xAhuzc3DXJTS8KmVzeDr
Score
10/10
Malware Config
Signatures
-
Detects Trigona ransomware 14 IoCs
resource yara_rule behavioral1/memory/2236-0-0x0000000000400000-0x00000000005CF000-memory.dmp family_trigona behavioral1/memory/2236-1-0x0000000000400000-0x00000000005CF000-memory.dmp family_trigona behavioral1/memory/2236-2-0x0000000000400000-0x00000000005CF000-memory.dmp family_trigona behavioral1/memory/2236-8-0x0000000000400000-0x00000000005CF000-memory.dmp family_trigona behavioral1/memory/2236-1898-0x0000000000400000-0x00000000005CF000-memory.dmp family_trigona behavioral1/memory/2236-2250-0x0000000000400000-0x00000000005CF000-memory.dmp family_trigona behavioral1/memory/2236-2286-0x0000000000400000-0x00000000005CF000-memory.dmp family_trigona behavioral1/memory/2236-2885-0x0000000000400000-0x00000000005CF000-memory.dmp family_trigona behavioral1/memory/2236-2970-0x0000000000400000-0x00000000005CF000-memory.dmp family_trigona behavioral1/memory/2236-11380-0x0000000000400000-0x00000000005CF000-memory.dmp family_trigona behavioral1/memory/2236-13082-0x0000000000400000-0x00000000005CF000-memory.dmp family_trigona behavioral1/memory/2236-13083-0x0000000000400000-0x00000000005CF000-memory.dmp family_trigona behavioral1/memory/2236-13972-0x0000000000400000-0x00000000005CF000-memory.dmp family_trigona behavioral1/memory/2236-19990-0x0000000000400000-0x00000000005CF000-memory.dmp family_trigona -
Trigona
A ransomware first seen at the beginning of the 2022.
-
Trigona family
-
Drops startup file 1 IoCs
description ioc Process File created \??\c:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_to_decrypt.hta 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\4036CAA32251C4111FBFD02511D866F4 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe" 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe -
Drops desktop.ini file(s) 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\Microsoft Games\FreeCell\desktop.ini 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\Microsoft Games\Hearts\desktop.ini 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files (x86)\desktop.ini 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\Microsoft Games\Solitaire\desktop.ini 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\Microsoft Games\Mahjong\desktop.ini 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\Microsoft Games\Purble Place\desktop.ini 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\desktop.ini 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\Microsoft Games\Chess\desktop.ini 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created \??\c:\Program Files\VideoLAN\VLC\locale\nb\how_to_decrypt.hta 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File created \??\c:\Program Files (x86)\MSBuild\how_to_decrypt.hta 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\DVD Maker\offset.ax 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-BR.pak 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\plugins\access\libvnc_plugin.dll 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\Java\jre7\bin\dtplugin\deployJava1.dll 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\Pacific\Guadalcanal 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files (x86)\Common Files\System\Ole DB\msdaenum.dll 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107658.WMF 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.CN.XML 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File created \??\c:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\how_to_decrypt.hta 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-fallback.xml 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\Windows Sidebar\fr-FR\sbdrop.dll.mui 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files (x86)\Common Files\System\msadc\msadcf.dll 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01163_.WMF 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\CURRENCY.GIF 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File created \??\c:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\how_to_decrypt.hta 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Andorra 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\Etc\GMT-12 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\PREVIEW.GIF 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\RECALL.DLL 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\7-Zip\7zCon.sfx 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\splash.gif 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\VideoLAN Website.url 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File created \??\c:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\how_to_decrypt.hta 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tipresx.dll.mui 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Bermuda 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui_5.5.0.165303.jar 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPC.DLL 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File created \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\how_to_decrypt.hta 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File created \??\c:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\how_to_decrypt.hta 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\MANIFEST.MF 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\America\Porto_Velho 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\plugins\video_filter\libtransform_plugin.dll 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107154.WMF 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\CONVERT\RM.DLL 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl.bat 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\Windows Media Player\ja-JP\WMPMediaSharing.dll.mui 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00046_.WMF 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_srt_plugin.dll 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_ko.dll 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0240291.WMF 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\1047x576black.png 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WNTER_01.MID 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File created \??\c:\Program Files (x86)\Windows Defender\es-ES\how_to_decrypt.hta 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.artifact.repository.prefs 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\skins\fonts\FreeSansBold.ttf 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01154_.WMF 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Document Themes 14\Median.thmx 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\MEDIA\COIN.WAV 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Templates\1033\ExpenseReport.xltx 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File created \??\c:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\how_to_decrypt.hta 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143746.GIF 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File created \??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\how_to_decrypt.hta 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00734_.WMF 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_zh_4.4.0.v20140623020002.jar 8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe"C:\Users\Admin\AppData\Local\Temp\8faf6974c82fc495a2343a579a478c8e18dc6a60b1516ee107c88e18f8cde241.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:2236
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD50e97bf19d6b3840b5c0b18a2b3867422
SHA1d01fbc3a6f2f06d958c27378cbda42db9b5d8d8b
SHA256c262fded7fde98ee7e0694fd77b37d43947e1c8a32b73d1ba5f1f0be7856148a
SHA512cb5d2b196dfb008afb27e08fdd3d3fefb2768b5205e3129d4c47deec53a180e0050ac9271a9d1b52c800b025c7792c0bbc607a9d4f7707860b5d4763cb1b6077
-
Filesize
12KB
MD5992a32c50f86128e6719d3bed20be0f4
SHA1068b19afd4e5f3c6734162d9038248ba06441a91
SHA256e55dd393ec6205aa14b9a19ec0204db93730fa5954532dec6a460ea5a30feb09
SHA512e9087fd8bf2f339196ac5bde01b764f61f3cb624b67520e8444b79e52e5a8c4f3efb866fdfcb273039dd0ab69846fc62a75c1572aa7e4a0d9af3659523408d6e