Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
13/09/2022, 18:09
Static task
static1
Behavioral task
behavioral1
Sample
TNT Original Invoice.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
TNT Original Invoice.exe
Resource
win10v2004-20220812-en
General
-
Target
TNT Original Invoice.exe
-
Size
599KB
-
MD5
46321b1bc573a076cf8ea7cb465265c9
-
SHA1
0f63beac6211f02def56730e3c92e66577abce93
-
SHA256
86daf1fa99266c6c93338a27544826818d36f983547fb54b5b0c18a95a3671b7
-
SHA512
76e563ac759ff6677dddffd4a5e2a74a56694086c71526a407ff537b3cbd5ca6c2d0ee9cadc272e1ae7bea3a615faff43d7881600b1f18b728a14c9ad84a36c7
-
SSDEEP
12288:44xxyhCTPS9TRZBdqxuR6mCJhdNWM6owSaBiUrIlZIBl98bddZBnaD5jWcy:Lz8TLBdLRsjX6owS9IlibNBnaVK
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1716 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe 1948 powershell.exe 896 powershell.exe 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe 1572 TNT Original Invoice.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1572 TNT Original Invoice.exe Token: SeDebugPrivilege 1948 powershell.exe Token: SeDebugPrivilege 896 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1572 wrote to memory of 1948 1572 TNT Original Invoice.exe 27 PID 1572 wrote to memory of 1948 1572 TNT Original Invoice.exe 27 PID 1572 wrote to memory of 1948 1572 TNT Original Invoice.exe 27 PID 1572 wrote to memory of 1948 1572 TNT Original Invoice.exe 27 PID 1572 wrote to memory of 896 1572 TNT Original Invoice.exe 29 PID 1572 wrote to memory of 896 1572 TNT Original Invoice.exe 29 PID 1572 wrote to memory of 896 1572 TNT Original Invoice.exe 29 PID 1572 wrote to memory of 896 1572 TNT Original Invoice.exe 29 PID 1572 wrote to memory of 1716 1572 TNT Original Invoice.exe 31 PID 1572 wrote to memory of 1716 1572 TNT Original Invoice.exe 31 PID 1572 wrote to memory of 1716 1572 TNT Original Invoice.exe 31 PID 1572 wrote to memory of 1716 1572 TNT Original Invoice.exe 31 PID 1572 wrote to memory of 1144 1572 TNT Original Invoice.exe 33 PID 1572 wrote to memory of 1144 1572 TNT Original Invoice.exe 33 PID 1572 wrote to memory of 1144 1572 TNT Original Invoice.exe 33 PID 1572 wrote to memory of 1144 1572 TNT Original Invoice.exe 33 PID 1572 wrote to memory of 1144 1572 TNT Original Invoice.exe 33 PID 1572 wrote to memory of 1144 1572 TNT Original Invoice.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.exe"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kuoCxdHtR.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:896
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kuoCxdHtR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF558.tmp"2⤵
- Creates scheduled task(s)
PID:1716
-
-
C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.exe"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.exe"2⤵PID:1144
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ee2adea01d68922eb52caa7b20d68b95
SHA128baff44c43a0eea23e07f8d10f7bf8202123554
SHA2565b40622cf25665d3d0765eefa1bd27a8a71fe05cd45ca77bb4372126aff5f74c
SHA512908df4dfc707adfbc1a54f8b1d1a8e5ac14281d33da75d777bddcc33ae78d81a0df857284480df53fb71a071284ef0e34a27b315daed2024aeadcc9a10391631
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5a685300535d9318124216b28eb34d3c6
SHA16e18f540e569a03596f1a464d1c2e8b910321897
SHA2565aa849e9317ff3fa8164b5547de0162227c587aed03703f2f0b4d0dcf3524cce
SHA5128ac005d9b00a78bcca2ef7d45c04af9cc490b7a43903fcc4e8e6606875cf578a47a4ad645dfa33350a919f6de43616dfe90533b2bab830b8a8aa87f2ccd19f56