Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
33s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19/09/2022, 03:20
Static task
static1
Behavioral task
behavioral1
Sample
c2fbf962250656d69cb75d3f703d88b68aaeb0f99c4ab93dff4918cd643da717.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c2fbf962250656d69cb75d3f703d88b68aaeb0f99c4ab93dff4918cd643da717.exe
Resource
win10v2004-20220812-en
General
-
Target
c2fbf962250656d69cb75d3f703d88b68aaeb0f99c4ab93dff4918cd643da717.exe
-
Size
41KB
-
MD5
77956f3227014036992cdb81c1b40356
-
SHA1
2d148e5b8c738bd71450e7348b115f6f0c86688a
-
SHA256
c2fbf962250656d69cb75d3f703d88b68aaeb0f99c4ab93dff4918cd643da717
-
SHA512
3bad0cc51cd4f0dd6d2470845c72739c3a73d86d2d9ee386b85cd208caf00f8db9518b7c0212d7fac325075539caf397174d44a2670bee789557568afc937193
-
SSDEEP
768:QIBar1ZIZYnfI9opm6AIHIjaI7g9mVmUnRoNE/W5dRV8:pW1ZIZqI9opm6AIHIjzmU6Nzd
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2020 sxhost.exe -
Deletes itself 1 IoCs
pid Process 1696 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 900 c2fbf962250656d69cb75d3f703d88b68aaeb0f99c4ab93dff4918cd643da717.exe 900 c2fbf962250656d69cb75d3f703d88b68aaeb0f99c4ab93dff4918cd643da717.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 900 wrote to memory of 2020 900 c2fbf962250656d69cb75d3f703d88b68aaeb0f99c4ab93dff4918cd643da717.exe 27 PID 900 wrote to memory of 2020 900 c2fbf962250656d69cb75d3f703d88b68aaeb0f99c4ab93dff4918cd643da717.exe 27 PID 900 wrote to memory of 2020 900 c2fbf962250656d69cb75d3f703d88b68aaeb0f99c4ab93dff4918cd643da717.exe 27 PID 900 wrote to memory of 2020 900 c2fbf962250656d69cb75d3f703d88b68aaeb0f99c4ab93dff4918cd643da717.exe 27 PID 900 wrote to memory of 1696 900 c2fbf962250656d69cb75d3f703d88b68aaeb0f99c4ab93dff4918cd643da717.exe 28 PID 900 wrote to memory of 1696 900 c2fbf962250656d69cb75d3f703d88b68aaeb0f99c4ab93dff4918cd643da717.exe 28 PID 900 wrote to memory of 1696 900 c2fbf962250656d69cb75d3f703d88b68aaeb0f99c4ab93dff4918cd643da717.exe 28 PID 900 wrote to memory of 1696 900 c2fbf962250656d69cb75d3f703d88b68aaeb0f99c4ab93dff4918cd643da717.exe 28 PID 2020 wrote to memory of 1444 2020 sxhost.exe 32 PID 2020 wrote to memory of 1444 2020 sxhost.exe 32 PID 2020 wrote to memory of 1444 2020 sxhost.exe 32 PID 2020 wrote to memory of 1444 2020 sxhost.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2fbf962250656d69cb75d3f703d88b68aaeb0f99c4ab93dff4918cd643da717.exe"C:\Users\Admin\AppData\Local\Temp\c2fbf962250656d69cb75d3f703d88b68aaeb0f99c4ab93dff4918cd643da717.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Users\Admin\sxhost.exe"C:\Users\Admin\sxhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c del C:\Users\Admin\sxhost.exe >> NUL3⤵PID:1444
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\C2FBF9~1.EXE >> NUL2⤵
- Deletes itself
PID:1696
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD577956f3227014036992cdb81c1b40356
SHA12d148e5b8c738bd71450e7348b115f6f0c86688a
SHA256c2fbf962250656d69cb75d3f703d88b68aaeb0f99c4ab93dff4918cd643da717
SHA5123bad0cc51cd4f0dd6d2470845c72739c3a73d86d2d9ee386b85cd208caf00f8db9518b7c0212d7fac325075539caf397174d44a2670bee789557568afc937193
-
Filesize
41KB
MD577956f3227014036992cdb81c1b40356
SHA12d148e5b8c738bd71450e7348b115f6f0c86688a
SHA256c2fbf962250656d69cb75d3f703d88b68aaeb0f99c4ab93dff4918cd643da717
SHA5123bad0cc51cd4f0dd6d2470845c72739c3a73d86d2d9ee386b85cd208caf00f8db9518b7c0212d7fac325075539caf397174d44a2670bee789557568afc937193
-
Filesize
41KB
MD577956f3227014036992cdb81c1b40356
SHA12d148e5b8c738bd71450e7348b115f6f0c86688a
SHA256c2fbf962250656d69cb75d3f703d88b68aaeb0f99c4ab93dff4918cd643da717
SHA5123bad0cc51cd4f0dd6d2470845c72739c3a73d86d2d9ee386b85cd208caf00f8db9518b7c0212d7fac325075539caf397174d44a2670bee789557568afc937193
-
Filesize
41KB
MD577956f3227014036992cdb81c1b40356
SHA12d148e5b8c738bd71450e7348b115f6f0c86688a
SHA256c2fbf962250656d69cb75d3f703d88b68aaeb0f99c4ab93dff4918cd643da717
SHA5123bad0cc51cd4f0dd6d2470845c72739c3a73d86d2d9ee386b85cd208caf00f8db9518b7c0212d7fac325075539caf397174d44a2670bee789557568afc937193