Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
16/09/2022, 05:41
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20220901-en
General
-
Target
tmp.exe
-
Size
44KB
-
MD5
d18cd40115084975be66a5581546d094
-
SHA1
7c2f20aa9b518162defd728d2ad88c18f4b78830
-
SHA256
afc7756b2e9479d748dc9424bf2639ff27107756e2a010a15e0002ccb0c270ce
-
SHA512
991178a124fa153896a87a5b8f9ee8aa17fb4fffa3adea11c6a9a180ffe73f220392a1edd0b180421539a03a36bb502c9dec4d6d2261fd0b3f25c79c0398ffcb
-
SSDEEP
768:6fXKTHyY+h6oDeQGPL4vzZq2o9W7GsxBbPr:eX2SCoDlGCq2iW7z
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x00140000000054ab-54.dat aspack_v212_v242 behavioral1/files/0x00140000000054ab-55.dat aspack_v212_v242 behavioral1/files/0x00140000000054ab-58.dat aspack_v212_v242 behavioral1/files/0x00140000000054ab-60.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 1852 DklsfF.exe -
Loads dropped DLL 2 IoCs
pid Process 2036 tmp.exe 2036 tmp.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe DklsfF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe DklsfF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe DklsfF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe DklsfF.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe DklsfF.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe DklsfF.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateCore.exe DklsfF.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE DklsfF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe DklsfF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe DklsfF.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE DklsfF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe DklsfF.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe DklsfF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe DklsfF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe DklsfF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe DklsfF.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\Hearts.exe DklsfF.exe File opened for modification C:\Program Files\Windows Mail\wab.exe DklsfF.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe DklsfF.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE DklsfF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe DklsfF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe DklsfF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe DklsfF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe DklsfF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe DklsfF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe DklsfF.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe DklsfF.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe DklsfF.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe DklsfF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe DklsfF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe DklsfF.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe DklsfF.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE DklsfF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe DklsfF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe DklsfF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe DklsfF.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe DklsfF.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe DklsfF.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe DklsfF.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe DklsfF.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe DklsfF.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE DklsfF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe DklsfF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe DklsfF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe DklsfF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe DklsfF.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE DklsfF.exe File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe DklsfF.exe File opened for modification C:\Program Files (x86)\Windows Mail\WinMail.exe DklsfF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe DklsfF.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE DklsfF.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE DklsfF.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE DklsfF.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe DklsfF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe DklsfF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe DklsfF.exe File opened for modification C:\Program Files\Windows Journal\PDIALOG.exe DklsfF.exe File opened for modification C:\Program Files\Windows Sidebar\sidebar.exe DklsfF.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE DklsfF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe DklsfF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe DklsfF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe DklsfF.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe DklsfF.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe DklsfF.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2036 wrote to memory of 1852 2036 tmp.exe 28 PID 2036 wrote to memory of 1852 2036 tmp.exe 28 PID 2036 wrote to memory of 1852 2036 tmp.exe 28 PID 2036 wrote to memory of 1852 2036 tmp.exe 28 PID 1852 wrote to memory of 752 1852 DklsfF.exe 31 PID 1852 wrote to memory of 752 1852 DklsfF.exe 31 PID 1852 wrote to memory of 752 1852 DklsfF.exe 31 PID 1852 wrote to memory of 752 1852 DklsfF.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\DklsfF.exeC:\Users\Admin\AppData\Local\Temp\DklsfF.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\01f56eda.bat" "3⤵PID:752
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187B
MD5c22009a562b7f034f85bc3298891b5d7
SHA1d1c16bcdde0f1be3348424f6fe4d8b8d92dc570e
SHA256705fc1f2d278a0928404811f73e8c6900403140d9e1dde1ef6f9ab9209abf435
SHA5125918613040432ede5ad2d3ce8638482b41edd45051d654233a90389d97e3b1ea24928e694fab3a8cf8cb644ac98567771a084b663488cc2444684e1803cf5494
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e