Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
128s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25/06/2022, 09:52
Static task
static1
Behavioral task
behavioral1
Sample
adddf3a8edacd49f26632d6e2db61c77c1e4f52a0f3ef042528f15eba7aab610.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
adddf3a8edacd49f26632d6e2db61c77c1e4f52a0f3ef042528f15eba7aab610.exe
Resource
win10v2004-20220414-en
General
-
Target
adddf3a8edacd49f26632d6e2db61c77c1e4f52a0f3ef042528f15eba7aab610.exe
-
Size
502KB
-
MD5
ab5be0d669ea17b096b0ab7f70c46d31
-
SHA1
c0baca7a79c5acbe9b1a326539798599308ad94b
-
SHA256
adddf3a8edacd49f26632d6e2db61c77c1e4f52a0f3ef042528f15eba7aab610
-
SHA512
81362639d5e390577403e299df111017ca0246092234c3bdb40968b9cab0ff4ddfaab51c2ed75d253dfd718c682da216ff4d544b828b102b8f94f297e3e55d42
Malware Config
Extracted
oski
serhuwadwtr.xyz
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
resource yara_rule behavioral1/memory/1996-57-0x0000000002110000-0x000000000214C000-memory.dmp rezer0 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1996 set thread context of 948 1996 adddf3a8edacd49f26632d6e2db61c77c1e4f52a0f3ef042528f15eba7aab610.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 552 948 WerFault.exe 30 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1660 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1996 adddf3a8edacd49f26632d6e2db61c77c1e4f52a0f3ef042528f15eba7aab610.exe 1996 adddf3a8edacd49f26632d6e2db61c77c1e4f52a0f3ef042528f15eba7aab610.exe 1996 adddf3a8edacd49f26632d6e2db61c77c1e4f52a0f3ef042528f15eba7aab610.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1996 adddf3a8edacd49f26632d6e2db61c77c1e4f52a0f3ef042528f15eba7aab610.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1996 wrote to memory of 1660 1996 adddf3a8edacd49f26632d6e2db61c77c1e4f52a0f3ef042528f15eba7aab610.exe 28 PID 1996 wrote to memory of 1660 1996 adddf3a8edacd49f26632d6e2db61c77c1e4f52a0f3ef042528f15eba7aab610.exe 28 PID 1996 wrote to memory of 1660 1996 adddf3a8edacd49f26632d6e2db61c77c1e4f52a0f3ef042528f15eba7aab610.exe 28 PID 1996 wrote to memory of 1660 1996 adddf3a8edacd49f26632d6e2db61c77c1e4f52a0f3ef042528f15eba7aab610.exe 28 PID 1996 wrote to memory of 948 1996 adddf3a8edacd49f26632d6e2db61c77c1e4f52a0f3ef042528f15eba7aab610.exe 30 PID 1996 wrote to memory of 948 1996 adddf3a8edacd49f26632d6e2db61c77c1e4f52a0f3ef042528f15eba7aab610.exe 30 PID 1996 wrote to memory of 948 1996 adddf3a8edacd49f26632d6e2db61c77c1e4f52a0f3ef042528f15eba7aab610.exe 30 PID 1996 wrote to memory of 948 1996 adddf3a8edacd49f26632d6e2db61c77c1e4f52a0f3ef042528f15eba7aab610.exe 30 PID 1996 wrote to memory of 948 1996 adddf3a8edacd49f26632d6e2db61c77c1e4f52a0f3ef042528f15eba7aab610.exe 30 PID 1996 wrote to memory of 948 1996 adddf3a8edacd49f26632d6e2db61c77c1e4f52a0f3ef042528f15eba7aab610.exe 30 PID 1996 wrote to memory of 948 1996 adddf3a8edacd49f26632d6e2db61c77c1e4f52a0f3ef042528f15eba7aab610.exe 30 PID 1996 wrote to memory of 948 1996 adddf3a8edacd49f26632d6e2db61c77c1e4f52a0f3ef042528f15eba7aab610.exe 30 PID 1996 wrote to memory of 948 1996 adddf3a8edacd49f26632d6e2db61c77c1e4f52a0f3ef042528f15eba7aab610.exe 30 PID 1996 wrote to memory of 948 1996 adddf3a8edacd49f26632d6e2db61c77c1e4f52a0f3ef042528f15eba7aab610.exe 30 PID 948 wrote to memory of 552 948 MSBuild.exe 34 PID 948 wrote to memory of 552 948 MSBuild.exe 34 PID 948 wrote to memory of 552 948 MSBuild.exe 34 PID 948 wrote to memory of 552 948 MSBuild.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\adddf3a8edacd49f26632d6e2db61c77c1e4f52a0f3ef042528f15eba7aab610.exe"C:\Users\Admin\AppData\Local\Temp\adddf3a8edacd49f26632d6e2db61c77c1e4f52a0f3ef042528f15eba7aab610.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpBKSSqrmfw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp687.tmp"2⤵
- Creates scheduled task(s)
PID:1660
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 7563⤵
- Program crash
PID:552
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52c6d8ea5f054dd66ab509b5f64f9c638
SHA1561d1111af0786c21f72b69dde37dfd2f5dc49b3
SHA256f269d395f28bd1b0e59fd798f31b9c0951d900e8101a3841673050a4cd8e89b3
SHA51264941a9f1edaabf07a3c6cb5170ccf16ccf279e887d95450ac2a5d5e32ffa3effcb516c0097080280edbe46e546321e45f1281e7d80a228a7a52e4a55a5b88cc