Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07/09/2022, 19:21
Static task
static1
Behavioral task
behavioral1
Sample
PRD.lnk
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
PRD.lnk
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
lkndwsjds.ps1
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
lkndwsjds.ps1
Resource
win10v2004-20220812-en
General
-
Target
PRD.lnk
-
Size
1KB
-
MD5
03475b66ae9683c845b1b99c9fb7b5f1
-
SHA1
6ac4dd7bc3136f7b8c1b8f8b60d855a4f606bd67
-
SHA256
7ba64fb34d07705c909cb271df4f8ffd152618897b25e77379c836b5c57fe1b4
-
SHA512
ac41a57a4dd9993f53612c2a1b72c9375ced61d0f4e3b72403ce4d28d30c6353075756b439346cb7352be9656b4a54a76cc6846d3eb9f5fd0799372930240179
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 672 powershell.exe 672 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 672 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1096 wrote to memory of 672 1096 cmd.exe 29 PID 1096 wrote to memory of 672 1096 cmd.exe 29 PID 1096 wrote to memory of 672 1096 cmd.exe 29 PID 672 wrote to memory of 432 672 powershell.exe 30 PID 672 wrote to memory of 432 672 powershell.exe 30 PID 672 wrote to memory of 432 672 powershell.exe 30 PID 432 wrote to memory of 1496 432 csc.exe 31 PID 432 wrote to memory of 1496 432 csc.exe 31 PID 432 wrote to memory of 1496 432 csc.exe 31
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\PRD.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file lkndwsjds.ps12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\evxxe6ro.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF3E2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF3E1.tmp"4⤵PID:1496
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5005658068217013de1f42e9abccd0b5f
SHA19b0e551ada61463dd8b4d709984ad04af354fa68
SHA25693af09b100f253dac6513a4bf8496d65d8b5198248643eefc8dd8ee8da1975aa
SHA512806dc30e47f37165984f0fcc39846c6ab49fd616ef4afd9315c806b20894753b5632b8e13debfe4ac85906196da7d02cdf0da1db0090d13a2dc5d913ee7d67c7
-
Filesize
3KB
MD5e4ca94e7cedea727ec5032bbdf5769f9
SHA1069e8517f1d1e23901c946296c05776344982813
SHA256e9f922cd4ab28a5b0e59c40895bfffddb82507e9fb35e1a6f9f5abdf0197b0f6
SHA51256f5213392c4e92392da875a330f9aa85a505e889122a162a26769fcd3a62de32db2c91a31c499070350d357a6afcf48072962b79f1ca600842d883655f7b8f1
-
Filesize
7KB
MD5b91a4219f2cf031c6919e4707675c33a
SHA106d746c7232208a9606f8c638be82a4ed545e371
SHA2563d26325646d566e3c5ae55ffb379f9a34a9c27e8300a1e3e887e5bcdef93afee
SHA5124ce3af89411ccd64c5ab097855edc88cd99222530cb4e3a6f10dfd0369d83a70f838c7dd943de4f8be3057f2c7dde25089d8641d3de6ffd15f4d1d42550a0430
-
Filesize
652B
MD54951cb0ccee0b2f220141f97b608581a
SHA19ffc369c5d80dd89059ede1ab742453c21bfdf6d
SHA256b577fdb401969ad274c07288d3a7f515b707cfa1b4cbf6a775e9c2220c883b54
SHA512fafbfc09187a806cb851cad6cb94b7da3da13c0810bd3c2016b075c245e316a0a5022c1c61a90295e92f4a1abc41eede7fd0d654b1ef2dcf9a561e8859ffe021
-
Filesize
203B
MD5b611be9282deb44eed731f72bcbb2b82
SHA1cc1d606d853bbabd5fef87255356a0d54381c289
SHA256ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6
SHA51263b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4
-
Filesize
309B
MD51bfda3798140070bce8d12f5c57f6bd3
SHA16e9ff41597616a029e65d8f74e59c09c359fc732
SHA25605570688a042c77fdc4939e52890d9b4d3cdc08ca5f7da13a43a9fcdb3f275d8
SHA512e1ac2e3b56ba858e9e056388982e5f90855cdd0b5a693202bf2e1eec280be561cda5a89ca3d19450606e99e38b6fe4883ba69d2325dd9969e19807b817ab8e04