Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
47s -
max time network
53s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
19/09/2022, 03:50
Static task
static1
Behavioral task
behavioral1
Sample
3a97473b414f253e80b393c564ffeb7125651f2202ed5c86553422ef9d924115.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
3a97473b414f253e80b393c564ffeb7125651f2202ed5c86553422ef9d924115.exe
Resource
win10v2004-20220901-en
General
-
Target
3a97473b414f253e80b393c564ffeb7125651f2202ed5c86553422ef9d924115.exe
-
Size
256KB
-
MD5
aff0d310d04cb4c75dcf7094b5ffaa19
-
SHA1
9f1fa0479a20f251794636737612ca5cc8db4840
-
SHA256
3a97473b414f253e80b393c564ffeb7125651f2202ed5c86553422ef9d924115
-
SHA512
eb8b8e09d56651106aa7806c19c2cd38ec209b359cefd98463ecbd9137e526758ad2c5fca9e383da56c44b7f797fea92a5ee130b45a149fba73be4409fa849e6
-
SSDEEP
6144:gdhbSZaIs6pafHEdensblEyaFTYjibvify:gXGZaepK2ensb+zcjEvify
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.scr -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" server.scr -
Executes dropped EXE 2 IoCs
pid Process 1732 server.scr 1068 server.scr -
Loads dropped DLL 5 IoCs
pid Process 1376 3a97473b414f253e80b393c564ffeb7125651f2202ed5c86553422ef9d924115.exe 1376 3a97473b414f253e80b393c564ffeb7125651f2202ed5c86553422ef9d924115.exe 1376 3a97473b414f253e80b393c564ffeb7125651f2202ed5c86553422ef9d924115.exe 1376 3a97473b414f253e80b393c564ffeb7125651f2202ed5c86553422ef9d924115.exe 1732 server.scr -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" server.scr -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.scr -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum server.scr Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 server.scr -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1732 set thread context of 1068 1732 server.scr 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1068 server.scr 1068 server.scr -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeBackupPrivilege 1732 server.scr -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1376 3a97473b414f253e80b393c564ffeb7125651f2202ed5c86553422ef9d924115.exe 1732 server.scr -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1376 wrote to memory of 1732 1376 3a97473b414f253e80b393c564ffeb7125651f2202ed5c86553422ef9d924115.exe 26 PID 1376 wrote to memory of 1732 1376 3a97473b414f253e80b393c564ffeb7125651f2202ed5c86553422ef9d924115.exe 26 PID 1376 wrote to memory of 1732 1376 3a97473b414f253e80b393c564ffeb7125651f2202ed5c86553422ef9d924115.exe 26 PID 1376 wrote to memory of 1732 1376 3a97473b414f253e80b393c564ffeb7125651f2202ed5c86553422ef9d924115.exe 26 PID 1376 wrote to memory of 1732 1376 3a97473b414f253e80b393c564ffeb7125651f2202ed5c86553422ef9d924115.exe 26 PID 1376 wrote to memory of 1732 1376 3a97473b414f253e80b393c564ffeb7125651f2202ed5c86553422ef9d924115.exe 26 PID 1376 wrote to memory of 1732 1376 3a97473b414f253e80b393c564ffeb7125651f2202ed5c86553422ef9d924115.exe 26 PID 1732 wrote to memory of 1068 1732 server.scr 28 PID 1732 wrote to memory of 1068 1732 server.scr 28 PID 1732 wrote to memory of 1068 1732 server.scr 28 PID 1732 wrote to memory of 1068 1732 server.scr 28 PID 1732 wrote to memory of 1068 1732 server.scr 28 PID 1732 wrote to memory of 1068 1732 server.scr 28 PID 1732 wrote to memory of 1068 1732 server.scr 28 PID 1732 wrote to memory of 1068 1732 server.scr 28 PID 1732 wrote to memory of 1068 1732 server.scr 28 PID 1732 wrote to memory of 1068 1732 server.scr 28 PID 1732 wrote to memory of 1068 1732 server.scr 28 PID 1068 wrote to memory of 1240 1068 server.scr 10 PID 1068 wrote to memory of 1240 1068 server.scr 10 PID 1068 wrote to memory of 1240 1068 server.scr 10 PID 1068 wrote to memory of 1240 1068 server.scr 10 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.scr
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1240
-
C:\Users\Admin\AppData\Local\Temp\3a97473b414f253e80b393c564ffeb7125651f2202ed5c86553422ef9d924115.exe"C:\Users\Admin\AppData\Local\Temp\3a97473b414f253e80b393c564ffeb7125651f2202ed5c86553422ef9d924115.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\server.scr"C:\Users\Admin\AppData\Local\Temp\server.scr" /S3⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\server.scrC:\Users\Admin\AppData\Local\Temp\server.scr4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1068
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228KB
MD5d431a9fbca0e6551861b55a38043ad97
SHA134386aed41a25f62f648d753c946f97c92dc2d40
SHA25653479cfda1d1c944c94e47d4ad1006269b5dd83b8250bb4bea3872ee2a69ee64
SHA5125da7d734ac75ba7961ad02e7b524d829cf29cbf4dcaef5f5021cb299bc411a10a8f9e4b3ebc4ff43fe82013066016ae560b50df241b648bd8e473bb9dd7d1f52
-
Filesize
228KB
MD5d431a9fbca0e6551861b55a38043ad97
SHA134386aed41a25f62f648d753c946f97c92dc2d40
SHA25653479cfda1d1c944c94e47d4ad1006269b5dd83b8250bb4bea3872ee2a69ee64
SHA5125da7d734ac75ba7961ad02e7b524d829cf29cbf4dcaef5f5021cb299bc411a10a8f9e4b3ebc4ff43fe82013066016ae560b50df241b648bd8e473bb9dd7d1f52
-
Filesize
228KB
MD5d431a9fbca0e6551861b55a38043ad97
SHA134386aed41a25f62f648d753c946f97c92dc2d40
SHA25653479cfda1d1c944c94e47d4ad1006269b5dd83b8250bb4bea3872ee2a69ee64
SHA5125da7d734ac75ba7961ad02e7b524d829cf29cbf4dcaef5f5021cb299bc411a10a8f9e4b3ebc4ff43fe82013066016ae560b50df241b648bd8e473bb9dd7d1f52
-
Filesize
228KB
MD5d431a9fbca0e6551861b55a38043ad97
SHA134386aed41a25f62f648d753c946f97c92dc2d40
SHA25653479cfda1d1c944c94e47d4ad1006269b5dd83b8250bb4bea3872ee2a69ee64
SHA5125da7d734ac75ba7961ad02e7b524d829cf29cbf4dcaef5f5021cb299bc411a10a8f9e4b3ebc4ff43fe82013066016ae560b50df241b648bd8e473bb9dd7d1f52
-
Filesize
228KB
MD5d431a9fbca0e6551861b55a38043ad97
SHA134386aed41a25f62f648d753c946f97c92dc2d40
SHA25653479cfda1d1c944c94e47d4ad1006269b5dd83b8250bb4bea3872ee2a69ee64
SHA5125da7d734ac75ba7961ad02e7b524d829cf29cbf4dcaef5f5021cb299bc411a10a8f9e4b3ebc4ff43fe82013066016ae560b50df241b648bd8e473bb9dd7d1f52
-
Filesize
228KB
MD5d431a9fbca0e6551861b55a38043ad97
SHA134386aed41a25f62f648d753c946f97c92dc2d40
SHA25653479cfda1d1c944c94e47d4ad1006269b5dd83b8250bb4bea3872ee2a69ee64
SHA5125da7d734ac75ba7961ad02e7b524d829cf29cbf4dcaef5f5021cb299bc411a10a8f9e4b3ebc4ff43fe82013066016ae560b50df241b648bd8e473bb9dd7d1f52
-
Filesize
228KB
MD5d431a9fbca0e6551861b55a38043ad97
SHA134386aed41a25f62f648d753c946f97c92dc2d40
SHA25653479cfda1d1c944c94e47d4ad1006269b5dd83b8250bb4bea3872ee2a69ee64
SHA5125da7d734ac75ba7961ad02e7b524d829cf29cbf4dcaef5f5021cb299bc411a10a8f9e4b3ebc4ff43fe82013066016ae560b50df241b648bd8e473bb9dd7d1f52
-
Filesize
228KB
MD5d431a9fbca0e6551861b55a38043ad97
SHA134386aed41a25f62f648d753c946f97c92dc2d40
SHA25653479cfda1d1c944c94e47d4ad1006269b5dd83b8250bb4bea3872ee2a69ee64
SHA5125da7d734ac75ba7961ad02e7b524d829cf29cbf4dcaef5f5021cb299bc411a10a8f9e4b3ebc4ff43fe82013066016ae560b50df241b648bd8e473bb9dd7d1f52