Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    105s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2022, 01:35 UTC

Errors

Reason
Machine shutdown

General

  • Target

    7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee.exe

  • Size

    96KB

  • MD5

    8b7998d0f4236f4d0bb2c145a27fcf77

  • SHA1

    72a366ce17c86fae0ffe25411f11a6704637f454

  • SHA256

    7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee

  • SHA512

    5ee0e46758a9142debbcb35dc1701c319651d0d4061867f11ce5fd50032cafe109cdec96b476e9aec84d5eaa718d98eb47d35437cdb6b988facb70ec3eca574f

  • SSDEEP

    1536:7mGuD0/OD6fctEwAynAnOQjbQokSrHPHvFHJR+ltYGpMPkjBBPZW8HaYD2BzyAoP:6GlctCDQpSrHvvFHJRP3QBPZW8HhD2Bq

Score
10/10

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 2 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer Phishing Filter 1 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee.exe
    "C:\Users\Admin\AppData\Local\Temp\7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee.exe"
    1⤵
    • Modifies firewall policy service
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Modifies Internet Explorer Phishing Filter
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1608
    • C:\Windows\SysWOW64\shutdown.exe
      "C:\Windows\System32\shutdown.exe" -r -f -t 10
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1768
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:1680
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:1052

      Network

      • flag-us
        DNS
        www3.sexown.com
        7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee.exe
        Remote address:
        8.8.8.8:53
        Request
        www3.sexown.com
        IN A
        Response
      No results found
      • 8.8.8.8:53
        www3.sexown.com
        dns
        7defc8cea1f8ee830e1985c78728051534456daf78b229fcf6566ff3ce9d32ee.exe
        61 B
        61 B
        1
        1

        DNS Request

        www3.sexown.com

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1608-57-0x0000000075A91000-0x0000000075A93000-memory.dmp

        Filesize

        8KB

      • memory/1680-59-0x000007FEFBB21000-0x000007FEFBB23000-memory.dmp

        Filesize

        8KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.