Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
125s -
max time network
10s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
29/03/2021, 05:10
Static task
static1
Behavioral task
behavioral1
Sample
xxx.exe
Resource
win7v20201028
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
xxx.exe
Resource
win10v20201028
0 signatures
0 seconds
General
-
Target
xxx.exe
-
Size
212KB
-
MD5
af9754aa7c14005973189c09494b50af
-
SHA1
fd4b1bdbbfc7fe46bfe3d2205641c441f796a03d
-
SHA256
30aa50598d3a153d842f3861f66cd1a8ee754f850ee2429aa739975536b5be3a
-
SHA512
c6fdd0b930e573d4b3d94232e2ca624c6d21bff572d237e6f3abd9d26ee0e6eb4db0e9bd1384a5961a5da6fc44d81026534a139696b3ae6688705fa52471f887
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1452 oyvDKUOTerep.exe 1684 GubAQYUghlan.exe -
Loads dropped DLL 4 IoCs
pid Process 1108 xxx.exe 1108 xxx.exe 1108 xxx.exe 1108 xxx.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 1368 icacls.exe 1836 icacls.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1108 wrote to memory of 1452 1108 xxx.exe 29 PID 1108 wrote to memory of 1452 1108 xxx.exe 29 PID 1108 wrote to memory of 1452 1108 xxx.exe 29 PID 1108 wrote to memory of 1452 1108 xxx.exe 29 PID 1108 wrote to memory of 1684 1108 xxx.exe 30 PID 1108 wrote to memory of 1684 1108 xxx.exe 30 PID 1108 wrote to memory of 1684 1108 xxx.exe 30 PID 1108 wrote to memory of 1684 1108 xxx.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\xxx.exe"C:\Users\Admin\AppData\Local\Temp\xxx.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Users\Admin\AppData\Local\Temp\oyvDKUOTerep.exe"C:\Users\Admin\AppData\Local\Temp\oyvDKUOTerep.exe" 9 REP2⤵
- Executes dropped EXE
PID:1452
-
-
C:\Users\Admin\AppData\Local\Temp\GubAQYUghlan.exe"C:\Users\Admin\AppData\Local\Temp\GubAQYUghlan.exe" 8 LAN2⤵
- Executes dropped EXE
PID:1684
-
-
C:\Users\Admin\AppData\Local\Temp\HBJwRRtrQlan.exe"C:\Users\Admin\AppData\Local\Temp\HBJwRRtrQlan.exe" 8 LAN2⤵PID:372
-
-
C:\Windows\SysWOW64\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1368
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1836
-