Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
63s -
max time network
10s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
21/04/2021, 09:29
Static task
static1
Behavioral task
behavioral1
Sample
main_setup_x86x64.bin.exe
Resource
win7v20210408
0 signatures
0 seconds
General
-
Target
main_setup_x86x64.bin.exe
-
Size
1.8MB
-
MD5
51da3eb43302642233928bd69ca6e219
-
SHA1
7d7d696126bde5e8dbab7382d278e40d22cf47da
-
SHA256
138a3dd2730be8b076caf28f85d3fbd5a987f9587c8b629ca565ac8de1cc9637
-
SHA512
6956d4a9331ad8b6cf563427c36ddf4981f1cdebd30ec8cdbc6ec2845e0f4762ed2c4d8d3285b0bcd18d698569d2067f58e9fa1e22d77d4be97efd97d1898561
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1028 Fresche.exe.com 1644 Fresche.exe.com -
Loads dropped DLL 1 IoCs
pid Process 628 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Fresche.exe.com Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Fresche.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1120 PING.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1652 wrote to memory of 1312 1652 main_setup_x86x64.bin.exe 26 PID 1652 wrote to memory of 1312 1652 main_setup_x86x64.bin.exe 26 PID 1652 wrote to memory of 1312 1652 main_setup_x86x64.bin.exe 26 PID 1652 wrote to memory of 1312 1652 main_setup_x86x64.bin.exe 26 PID 1652 wrote to memory of 1992 1652 main_setup_x86x64.bin.exe 28 PID 1652 wrote to memory of 1992 1652 main_setup_x86x64.bin.exe 28 PID 1652 wrote to memory of 1992 1652 main_setup_x86x64.bin.exe 28 PID 1652 wrote to memory of 1992 1652 main_setup_x86x64.bin.exe 28 PID 1992 wrote to memory of 628 1992 cmd.exe 30 PID 1992 wrote to memory of 628 1992 cmd.exe 30 PID 1992 wrote to memory of 628 1992 cmd.exe 30 PID 1992 wrote to memory of 628 1992 cmd.exe 30 PID 628 wrote to memory of 796 628 cmd.exe 34 PID 628 wrote to memory of 796 628 cmd.exe 34 PID 628 wrote to memory of 796 628 cmd.exe 34 PID 628 wrote to memory of 796 628 cmd.exe 34 PID 628 wrote to memory of 1028 628 cmd.exe 35 PID 628 wrote to memory of 1028 628 cmd.exe 35 PID 628 wrote to memory of 1028 628 cmd.exe 35 PID 628 wrote to memory of 1028 628 cmd.exe 35 PID 628 wrote to memory of 1120 628 cmd.exe 36 PID 628 wrote to memory of 1120 628 cmd.exe 36 PID 628 wrote to memory of 1120 628 cmd.exe 36 PID 628 wrote to memory of 1120 628 cmd.exe 36 PID 1028 wrote to memory of 1644 1028 Fresche.exe.com 37 PID 1028 wrote to memory of 1644 1028 Fresche.exe.com 37 PID 1028 wrote to memory of 1644 1028 Fresche.exe.com 37 PID 1028 wrote to memory of 1644 1028 Fresche.exe.com 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\main_setup_x86x64.bin.exe"C:\Users\Admin\AppData\Local\Temp\main_setup_x86x64.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\makecab.exe"C:\Windows\System32\makecab.exe"2⤵PID:1312
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c mtGCHFXHhSVuwQmJLT & EmCeqebftHqwLnhIhSxEfgLn & cmd < Cui.jar2⤵
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^PGjCsNUUOkulVUDgTCsLgwbtgnrtaMjQyMxswDFobKDrInIVqUHEnjBNoihSKQBwYdtpmkjfXohDnxcQQitnyHsSkGpTfMbHpBtszncOHsHdZXfOMbeCLrWsZkXTezZlKGxWfrv$" Sete.jar4⤵PID:796
-
-
C:\Users\Admin\AppData\Roaming\OXsFtCpbcFqWwGmldTZhQlINikRdfndNrRkyyJZyREdShLkkVzZcMkxDgDnSKSiW\Fresche.exe.comFresche.exe.com d4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Users\Admin\AppData\Roaming\OXsFtCpbcFqWwGmldTZhQlINikRdfndNrRkyyJZyREdShLkkVzZcMkxDgDnSKSiW\Fresche.exe.comC:\Users\Admin\AppData\Roaming\OXsFtCpbcFqWwGmldTZhQlINikRdfndNrRkyyJZyREdShLkkVzZcMkxDgDnSKSiW\Fresche.exe.com d5⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1644
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
PID:1120
-
-
-