Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
160s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
31/07/2022, 09:21
Static task
static1
Behavioral task
behavioral1
Sample
5fc3a63d5b76578a23f1aa59bc7618dd73fc42fe78355294bf587fb7587579e1.exe
Resource
win7-20220718-en
General
-
Target
5fc3a63d5b76578a23f1aa59bc7618dd73fc42fe78355294bf587fb7587579e1.exe
-
Size
260KB
-
MD5
f43faec42c367d3c8ea3c6b193398ed0
-
SHA1
360f85bde56f166c72690f09c765496a7e931dd6
-
SHA256
5fc3a63d5b76578a23f1aa59bc7618dd73fc42fe78355294bf587fb7587579e1
-
SHA512
2afba8a444824211e072e16fcf03a188fded5b324c4004180f772bacc503330899ace0c9ae9e2e97b7c0db989f9e8dd1cfaeed4d53e02d0fd84a7725f45dbce5
Malware Config
Signatures
-
Detects PlugX payload 3 IoCs
resource yara_rule behavioral1/memory/1424-73-0x0000000001DD0000-0x0000000001E00000-memory.dmp family_plugx behavioral1/memory/1964-74-0x0000000000250000-0x0000000000280000-memory.dmp family_plugx behavioral1/memory/1964-77-0x0000000000250000-0x0000000000280000-memory.dmp family_plugx -
Executes dropped EXE 1 IoCs
pid Process 1424 hkcmd.exe -
resource yara_rule behavioral1/files/0x000800000001231a-55.dat upx behavioral1/files/0x000800000001231a-56.dat upx behavioral1/files/0x000800000001231a-57.dat upx behavioral1/files/0x000800000001231a-58.dat upx behavioral1/files/0x000800000001231a-59.dat upx behavioral1/files/0x000800000001231a-61.dat upx behavioral1/memory/1424-67-0x0000000000400000-0x000000000041A000-memory.dmp upx -
Loads dropped DLL 6 IoCs
pid Process 1544 5fc3a63d5b76578a23f1aa59bc7618dd73fc42fe78355294bf587fb7587579e1.exe 1544 5fc3a63d5b76578a23f1aa59bc7618dd73fc42fe78355294bf587fb7587579e1.exe 1544 5fc3a63d5b76578a23f1aa59bc7618dd73fc42fe78355294bf587fb7587579e1.exe 1544 5fc3a63d5b76578a23f1aa59bc7618dd73fc42fe78355294bf587fb7587579e1.exe 1544 5fc3a63d5b76578a23f1aa59bc7618dd73fc42fe78355294bf587fb7587579e1.exe 1424 hkcmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\CLASSES\FAST svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 45004500380032004600420043003300380032003100420045003000370033000000 svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1964 svchost.exe 1964 svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1424 hkcmd.exe Token: SeTcbPrivilege 1424 hkcmd.exe Token: SeDebugPrivilege 1964 svchost.exe Token: SeTcbPrivilege 1964 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1424 hkcmd.exe 1424 hkcmd.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1424 hkcmd.exe 1424 hkcmd.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1544 wrote to memory of 1424 1544 5fc3a63d5b76578a23f1aa59bc7618dd73fc42fe78355294bf587fb7587579e1.exe 28 PID 1544 wrote to memory of 1424 1544 5fc3a63d5b76578a23f1aa59bc7618dd73fc42fe78355294bf587fb7587579e1.exe 28 PID 1544 wrote to memory of 1424 1544 5fc3a63d5b76578a23f1aa59bc7618dd73fc42fe78355294bf587fb7587579e1.exe 28 PID 1544 wrote to memory of 1424 1544 5fc3a63d5b76578a23f1aa59bc7618dd73fc42fe78355294bf587fb7587579e1.exe 28 PID 1544 wrote to memory of 1424 1544 5fc3a63d5b76578a23f1aa59bc7618dd73fc42fe78355294bf587fb7587579e1.exe 28 PID 1544 wrote to memory of 1424 1544 5fc3a63d5b76578a23f1aa59bc7618dd73fc42fe78355294bf587fb7587579e1.exe 28 PID 1544 wrote to memory of 1424 1544 5fc3a63d5b76578a23f1aa59bc7618dd73fc42fe78355294bf587fb7587579e1.exe 28 PID 1424 wrote to memory of 1964 1424 hkcmd.exe 29 PID 1424 wrote to memory of 1964 1424 hkcmd.exe 29 PID 1424 wrote to memory of 1964 1424 hkcmd.exe 29 PID 1424 wrote to memory of 1964 1424 hkcmd.exe 29 PID 1424 wrote to memory of 1964 1424 hkcmd.exe 29 PID 1424 wrote to memory of 1964 1424 hkcmd.exe 29 PID 1424 wrote to memory of 1964 1424 hkcmd.exe 29 PID 1424 wrote to memory of 1964 1424 hkcmd.exe 29 PID 1424 wrote to memory of 1964 1424 hkcmd.exe 29 PID 1424 wrote to memory of 1964 1424 hkcmd.exe 29 PID 1424 wrote to memory of 1964 1424 hkcmd.exe 29 PID 1424 wrote to memory of 1964 1424 hkcmd.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fc3a63d5b76578a23f1aa59bc7618dd73fc42fe78355294bf587fb7587579e1.exe"C:\Users\Admin\AppData\Local\Temp\5fc3a63d5b76578a23f1aa59bc7618dd73fc42fe78355294bf587fb7587579e1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe 201 03⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5fdfbe2692b9caf2714e74b02c7e77dbd
SHA13c45cefab43569de87f0e008f23be3df6d74093f
SHA256f798ff4cb303a59a32ecbaf04378477ff4781c46d3843cf900c94fc2d8fa0862
SHA51260d3a7f06ea4328b0da36475d5888eaca2f571e3d34edf7d2ae957433866e47f9abec2c5cccbf7df249ab1d4a594b940a25f9e0708abf5d323c17f62fd6ff101
-
Filesize
40KB
MD5ca7f8f2508d00b2b387dc2288b58ce3e
SHA1c7ecea655412981ac747de04d8d8279de7a68ef3
SHA25603a3783526b0ff574d4b302b098ee3356991552b3988586752651bbd1dac99f1
SHA512db0b35431966d5200271f294dcc576b558af918c945779e1a795f3b13a3d157e2966e381427af53ff3edd9b09de7fb6c5f57c26bbef27bfe28145f68590244a2
-
Filesize
119KB
MD5bda06cd5abaccde6e13cc39599186f2d
SHA15f212f336ec9455dbf76f8b9def2eec25f31cd30
SHA256742392e806273d74ea54b5e4342fa236db31a04c5b5940744185c962b87aab61
SHA512dc0912b0e77526b57748231660e1a85e845e5e82f3e02f5e3b6f14d0f1d9061096f11bf92da74521e5a6ded300343b3c1ea2cacff49ef13ef119a682c188837a
-
Filesize
34KB
MD5fdfbe2692b9caf2714e74b02c7e77dbd
SHA13c45cefab43569de87f0e008f23be3df6d74093f
SHA256f798ff4cb303a59a32ecbaf04378477ff4781c46d3843cf900c94fc2d8fa0862
SHA51260d3a7f06ea4328b0da36475d5888eaca2f571e3d34edf7d2ae957433866e47f9abec2c5cccbf7df249ab1d4a594b940a25f9e0708abf5d323c17f62fd6ff101
-
Filesize
34KB
MD5fdfbe2692b9caf2714e74b02c7e77dbd
SHA13c45cefab43569de87f0e008f23be3df6d74093f
SHA256f798ff4cb303a59a32ecbaf04378477ff4781c46d3843cf900c94fc2d8fa0862
SHA51260d3a7f06ea4328b0da36475d5888eaca2f571e3d34edf7d2ae957433866e47f9abec2c5cccbf7df249ab1d4a594b940a25f9e0708abf5d323c17f62fd6ff101
-
Filesize
34KB
MD5fdfbe2692b9caf2714e74b02c7e77dbd
SHA13c45cefab43569de87f0e008f23be3df6d74093f
SHA256f798ff4cb303a59a32ecbaf04378477ff4781c46d3843cf900c94fc2d8fa0862
SHA51260d3a7f06ea4328b0da36475d5888eaca2f571e3d34edf7d2ae957433866e47f9abec2c5cccbf7df249ab1d4a594b940a25f9e0708abf5d323c17f62fd6ff101
-
Filesize
34KB
MD5fdfbe2692b9caf2714e74b02c7e77dbd
SHA13c45cefab43569de87f0e008f23be3df6d74093f
SHA256f798ff4cb303a59a32ecbaf04378477ff4781c46d3843cf900c94fc2d8fa0862
SHA51260d3a7f06ea4328b0da36475d5888eaca2f571e3d34edf7d2ae957433866e47f9abec2c5cccbf7df249ab1d4a594b940a25f9e0708abf5d323c17f62fd6ff101
-
Filesize
34KB
MD5fdfbe2692b9caf2714e74b02c7e77dbd
SHA13c45cefab43569de87f0e008f23be3df6d74093f
SHA256f798ff4cb303a59a32ecbaf04378477ff4781c46d3843cf900c94fc2d8fa0862
SHA51260d3a7f06ea4328b0da36475d5888eaca2f571e3d34edf7d2ae957433866e47f9abec2c5cccbf7df249ab1d4a594b940a25f9e0708abf5d323c17f62fd6ff101
-
Filesize
40KB
MD5ca7f8f2508d00b2b387dc2288b58ce3e
SHA1c7ecea655412981ac747de04d8d8279de7a68ef3
SHA25603a3783526b0ff574d4b302b098ee3356991552b3988586752651bbd1dac99f1
SHA512db0b35431966d5200271f294dcc576b558af918c945779e1a795f3b13a3d157e2966e381427af53ff3edd9b09de7fb6c5f57c26bbef27bfe28145f68590244a2