Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
18/09/2022, 23:45
Static task
static1
Behavioral task
behavioral1
Sample
10d9739a98aff94460c59fc66b3d8d296933e03e6d98aab537d3d69c05d50088.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
10d9739a98aff94460c59fc66b3d8d296933e03e6d98aab537d3d69c05d50088.exe
Resource
win10v2004-20220812-en
General
-
Target
10d9739a98aff94460c59fc66b3d8d296933e03e6d98aab537d3d69c05d50088.exe
-
Size
521KB
-
MD5
b59017e1b2c478b22c7079e2881ce4a4
-
SHA1
5443180e24ed328182a435f95a919d2f4b8fcc24
-
SHA256
10d9739a98aff94460c59fc66b3d8d296933e03e6d98aab537d3d69c05d50088
-
SHA512
0e8333a43dfe346c4b5898dc9ae5b054b160b264e3fd8338cc010dd337549610ef9207d732d33177ca406420ecbae4b88bcf4dc47687721f6044516c59492559
-
SSDEEP
12288:tKFbvjITRVN6B5SFuf2es2TX1EDFzzvhE+XSIVmPI2cL:tPRD+Uz5E/Yn7
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1704 meh.exe 520 vbc.exe -
resource yara_rule behavioral1/memory/520-64-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral1/memory/520-66-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral1/memory/520-67-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral1/memory/520-71-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral1/memory/520-76-0x0000000000400000-0x0000000000459000-memory.dmp upx -
Loads dropped DLL 1 IoCs
pid Process 1704 meh.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1704 set thread context of 520 1704 meh.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 520 vbc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1672 wrote to memory of 1704 1672 10d9739a98aff94460c59fc66b3d8d296933e03e6d98aab537d3d69c05d50088.exe 27 PID 1672 wrote to memory of 1704 1672 10d9739a98aff94460c59fc66b3d8d296933e03e6d98aab537d3d69c05d50088.exe 27 PID 1672 wrote to memory of 1704 1672 10d9739a98aff94460c59fc66b3d8d296933e03e6d98aab537d3d69c05d50088.exe 27 PID 1672 wrote to memory of 1704 1672 10d9739a98aff94460c59fc66b3d8d296933e03e6d98aab537d3d69c05d50088.exe 27 PID 1704 wrote to memory of 520 1704 meh.exe 29 PID 1704 wrote to memory of 520 1704 meh.exe 29 PID 1704 wrote to memory of 520 1704 meh.exe 29 PID 1704 wrote to memory of 520 1704 meh.exe 29 PID 1704 wrote to memory of 520 1704 meh.exe 29 PID 1704 wrote to memory of 520 1704 meh.exe 29 PID 1704 wrote to memory of 520 1704 meh.exe 29 PID 1704 wrote to memory of 520 1704 meh.exe 29 PID 1704 wrote to memory of 520 1704 meh.exe 29 PID 1704 wrote to memory of 520 1704 meh.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\10d9739a98aff94460c59fc66b3d8d296933e03e6d98aab537d3d69c05d50088.exe"C:\Users\Admin\AppData\Local\Temp\10d9739a98aff94460c59fc66b3d8d296933e03e6d98aab537d3d69c05d50088.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\meh.exe"C:\Users\Admin\AppData\Local\Temp\meh.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\vbc.exeC:\Users\Admin\AppData\Local\Temp\vbc.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:520
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD5fe40685e334fb812696f4bc50735e11f
SHA14ea50ab2fd1e7dcebc7c741503ab03d4e1c77173
SHA256a5e147de4abfc324fad4000d958f8ca848251339be66228303fe45852c4cd2d7
SHA512b4b0fb9b6a86d44b890d25a2e93bad3204c61169d59a05e1c016f80c3255775712fac7e479fc2c534a2b52b07fb3eb9ff20e50beff8847f3181a6e7ceb9c6d1c
-
Filesize
216KB
MD5fe40685e334fb812696f4bc50735e11f
SHA14ea50ab2fd1e7dcebc7c741503ab03d4e1c77173
SHA256a5e147de4abfc324fad4000d958f8ca848251339be66228303fe45852c4cd2d7
SHA512b4b0fb9b6a86d44b890d25a2e93bad3204c61169d59a05e1c016f80c3255775712fac7e479fc2c534a2b52b07fb3eb9ff20e50beff8847f3181a6e7ceb9c6d1c
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98