Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    183s
  • max time network
    176s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2022, 04:02

General

  • Target

    Full Install.exe

  • Size

    1.3MB

  • MD5

    70364fa4e186b91a1782ac29a13bb3ad

  • SHA1

    1f4c9fb938ac2d78a8a3ea091bd9395e962d5589

  • SHA256

    72592d99f4521b4cc9014bc2a361e84382de2e12610aa32ea5927a6d75228939

  • SHA512

    d2ad64ece3371d90ff140d9ed27ffcfa93bbadd9175f7b08feaefb8e4ea9203dcf23b4f98a23fb19969c03aee85f8986096e21678eb746f9b89e4156c40a23dd

  • SSDEEP

    24576:4RmJkcoQricOIQxiZY1iazQGeD9EMuoKqFX8amJ54lkrNu/3vL:9JZoQrbTFZY1iaXs9EMb1sxL3rA3vL

Score
10/10

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 8 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Full Install.exe
    "C:\Users\Admin\AppData\Local\Temp\Full Install.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:904
    • C:\Windows\SysWOW64\calc.exe
      "C:\Windows\SysWOW64\calc.exe"
      2⤵
      • Adds policy Run key to start application
      • Modifies Installed Components in the registry
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:948
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1312
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:1832
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\SysWOW64\calc.exe" /t REG_SZ /d "C:\Windows\SysWOW64\calc.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1444
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\SysWOW64\calc.exe" /t REG_SZ /d "C:\Windows\SysWOW64\calc.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:740
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1320
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:1836
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winload.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winload.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:268
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winload.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winload.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:1764

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/904-54-0x0000000075281000-0x0000000075283000-memory.dmp

    Filesize

    8KB

  • memory/948-57-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/948-55-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/948-73-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/948-74-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB