Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19/09/2022, 22:03
Static task
static1
Behavioral task
behavioral1
Sample
2e9bbf284ccbc74074e8a01169e304a06a76d168a961500289fc0584513176f7.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2e9bbf284ccbc74074e8a01169e304a06a76d168a961500289fc0584513176f7.exe
Resource
win10v2004-20220901-en
General
-
Target
2e9bbf284ccbc74074e8a01169e304a06a76d168a961500289fc0584513176f7.exe
-
Size
35KB
-
MD5
a595da27123d990e04d34cd593def9f3
-
SHA1
1e3086e6a00217293d9a767e8a9fa3fcd2c18ce4
-
SHA256
2e9bbf284ccbc74074e8a01169e304a06a76d168a961500289fc0584513176f7
-
SHA512
8f2e4d65e9bc000b858de2564983d2d51f8108181107ef9fbd4108761acb6a3fffdbfa586f7e491c2e57a76c616ca90cfaea636e63af4129af12914601fd137f
-
SSDEEP
768:mzQYScGrIubHuYtvdxwYHw5FAe2QQncwxQM:gQTIubHy5wQQ7
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1756 jusched.exe -
Loads dropped DLL 2 IoCs
pid Process 1048 2e9bbf284ccbc74074e8a01169e304a06a76d168a961500289fc0584513176f7.exe 1048 2e9bbf284ccbc74074e8a01169e304a06a76d168a961500289fc0584513176f7.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\b2034a42\jusched.exe 2e9bbf284ccbc74074e8a01169e304a06a76d168a961500289fc0584513176f7.exe File created C:\Program Files (x86)\b2034a42\b2034a42 2e9bbf284ccbc74074e8a01169e304a06a76d168a961500289fc0584513176f7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe 1756 jusched.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1048 wrote to memory of 1756 1048 2e9bbf284ccbc74074e8a01169e304a06a76d168a961500289fc0584513176f7.exe 27 PID 1048 wrote to memory of 1756 1048 2e9bbf284ccbc74074e8a01169e304a06a76d168a961500289fc0584513176f7.exe 27 PID 1048 wrote to memory of 1756 1048 2e9bbf284ccbc74074e8a01169e304a06a76d168a961500289fc0584513176f7.exe 27 PID 1048 wrote to memory of 1756 1048 2e9bbf284ccbc74074e8a01169e304a06a76d168a961500289fc0584513176f7.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e9bbf284ccbc74074e8a01169e304a06a76d168a961500289fc0584513176f7.exe"C:\Users\Admin\AppData\Local\Temp\2e9bbf284ccbc74074e8a01169e304a06a76d168a961500289fc0584513176f7.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Program Files (x86)\b2034a42\jusched.exe"C:\Program Files (x86)\b2034a42\jusched.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1756
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13B
MD5f253efe302d32ab264a76e0ce65be769
SHA1768685ca582abd0af2fbb57ca37752aa98c9372b
SHA25649dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd
SHA5121990d20b462406bbadb22ba43f1ed9d0db6b250881d4ac89ad8cf6e43ca92b2fd31c3a15be1e6e149e42fdb46e58122c15bc7869a82c9490656c80df69fa77c4
-
Filesize
35KB
MD57bfd3c4ea5837effeaf3a724c79a858e
SHA11b72aea0ac75a25b898a1106469ffbb004b35195
SHA2567b0c4fb941d40a7ab16463b62fcf2ff8aed4494b5f8a2ac49da9af6364ec214b
SHA51273e9e6955f63d6585cbb629939eb6d8eb4d33e77497536c358e79554dcbaba748ef71e51bc95cf678404fb0afecd0797e83ed55135a57edf9adbcb89a2e4f287
-
Filesize
35KB
MD57bfd3c4ea5837effeaf3a724c79a858e
SHA11b72aea0ac75a25b898a1106469ffbb004b35195
SHA2567b0c4fb941d40a7ab16463b62fcf2ff8aed4494b5f8a2ac49da9af6364ec214b
SHA51273e9e6955f63d6585cbb629939eb6d8eb4d33e77497536c358e79554dcbaba748ef71e51bc95cf678404fb0afecd0797e83ed55135a57edf9adbcb89a2e4f287
-
Filesize
35KB
MD57bfd3c4ea5837effeaf3a724c79a858e
SHA11b72aea0ac75a25b898a1106469ffbb004b35195
SHA2567b0c4fb941d40a7ab16463b62fcf2ff8aed4494b5f8a2ac49da9af6364ec214b
SHA51273e9e6955f63d6585cbb629939eb6d8eb4d33e77497536c358e79554dcbaba748ef71e51bc95cf678404fb0afecd0797e83ed55135a57edf9adbcb89a2e4f287