Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
12/06/2022, 21:49
Static task
static1
Behavioral task
behavioral1
Sample
ce2207286fbd4a1b12c4005667810d88656b540e840628514571548ac2cab454.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ce2207286fbd4a1b12c4005667810d88656b540e840628514571548ac2cab454.exe
Resource
win10v2004-20220414-en
General
-
Target
ce2207286fbd4a1b12c4005667810d88656b540e840628514571548ac2cab454.exe
-
Size
50KB
-
MD5
1e36904aa9c6247753ec7b2e7a191384
-
SHA1
a68e783571c47f6a1e580a2e4b5dc10282bc0c18
-
SHA256
ce2207286fbd4a1b12c4005667810d88656b540e840628514571548ac2cab454
-
SHA512
0c2cc07e9737fac6504040c95b8b80c86d9a638630b70dbf9f1d43289ea2a4e102a712069e69cdb809bc5a9ffdbeead31f68e6c1a08002c5b38e4928baa028ba
Malware Config
Signatures
-
Upatre
Upatre is a generic malware downloader.
-
Executes dropped EXE 1 IoCs
pid Process 1792 szgfw.exe -
Loads dropped DLL 2 IoCs
pid Process 1788 ce2207286fbd4a1b12c4005667810d88656b540e840628514571548ac2cab454.exe 1788 ce2207286fbd4a1b12c4005667810d88656b540e840628514571548ac2cab454.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1788 wrote to memory of 1792 1788 ce2207286fbd4a1b12c4005667810d88656b540e840628514571548ac2cab454.exe 28 PID 1788 wrote to memory of 1792 1788 ce2207286fbd4a1b12c4005667810d88656b540e840628514571548ac2cab454.exe 28 PID 1788 wrote to memory of 1792 1788 ce2207286fbd4a1b12c4005667810d88656b540e840628514571548ac2cab454.exe 28 PID 1788 wrote to memory of 1792 1788 ce2207286fbd4a1b12c4005667810d88656b540e840628514571548ac2cab454.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce2207286fbd4a1b12c4005667810d88656b540e840628514571548ac2cab454.exe"C:\Users\Admin\AppData\Local\Temp\ce2207286fbd4a1b12c4005667810d88656b540e840628514571548ac2cab454.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\szgfw.exe"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"2⤵
- Executes dropped EXE
PID:1792
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50KB
MD50de6f54e7686158e62923dfcb14afb85
SHA19b64624cb46b1f8e5b1eba397100fb5b53aa136d
SHA256b483e49d36c511ea77c006acb3110b4cce4622a470f1c8d84ce6e4a99a19fef1
SHA5127ec5d1a6c02c6a59caa3c70ae88ad09d8a28d6ee274663e091a7f81e98f21c427d87b260dfc5e3ff0ed837382ec15d8bb4fe6c0b353bc19b5a7465cebc3d454e
-
Filesize
50KB
MD50de6f54e7686158e62923dfcb14afb85
SHA19b64624cb46b1f8e5b1eba397100fb5b53aa136d
SHA256b483e49d36c511ea77c006acb3110b4cce4622a470f1c8d84ce6e4a99a19fef1
SHA5127ec5d1a6c02c6a59caa3c70ae88ad09d8a28d6ee274663e091a7f81e98f21c427d87b260dfc5e3ff0ed837382ec15d8bb4fe6c0b353bc19b5a7465cebc3d454e
-
Filesize
50KB
MD50de6f54e7686158e62923dfcb14afb85
SHA19b64624cb46b1f8e5b1eba397100fb5b53aa136d
SHA256b483e49d36c511ea77c006acb3110b4cce4622a470f1c8d84ce6e4a99a19fef1
SHA5127ec5d1a6c02c6a59caa3c70ae88ad09d8a28d6ee274663e091a7f81e98f21c427d87b260dfc5e3ff0ed837382ec15d8bb4fe6c0b353bc19b5a7465cebc3d454e
-
Filesize
50KB
MD50de6f54e7686158e62923dfcb14afb85
SHA19b64624cb46b1f8e5b1eba397100fb5b53aa136d
SHA256b483e49d36c511ea77c006acb3110b4cce4622a470f1c8d84ce6e4a99a19fef1
SHA5127ec5d1a6c02c6a59caa3c70ae88ad09d8a28d6ee274663e091a7f81e98f21c427d87b260dfc5e3ff0ed837382ec15d8bb4fe6c0b353bc19b5a7465cebc3d454e