Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

50d4446d78...d0.exe

windows7-x64

8

50d4446d78...d0.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    152s
  • max time network
    58s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2022, 04:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    50d4446d78d5293448ba3869a84928b80e3d1681d43ddad43bbe926973fb70d0.exe

  • Size

    150KB

  • MD5

    31ca2e8a5b59e40ca32a64e992d1ff47

  • SHA1

    4691182ae6fc3f7f49ac5903bb5d33e76601dbf6

  • SHA256

    50d4446d78d5293448ba3869a84928b80e3d1681d43ddad43bbe926973fb70d0

  • SHA512

    5393afca2087a1ee58fc862c7d979a31040bb0a2d48779b220d24346b941c212d61b08925f89678c80625c79752e605046147b89c9d562adcb9f5e98c4c57c67

  • SSDEEP

    3072:Kecu88h/2yroutqzAoU+WuKurV9GqZghAs10jLAH:Kech8oyroSqvU+WlY8p0jLAH

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\50d4446d78d5293448ba3869a84928b80e3d1681d43ddad43bbe926973fb70d0.exe
    "C:\Users\Admin\AppData\Local\Temp\50d4446d78d5293448ba3869a84928b80e3d1681d43ddad43bbe926973fb70d0.exe"
    1⤵
    • Sets DLL path for service in the registry
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\50D444~1.EXE > nul
      2⤵
      • Deletes itself
      PID:1896
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k WindowsDriver
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe c:\windows\system32\windowsdriver.dll, ServiceMain
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Drops file in System32 directory
      PID:1948

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \??\c:\windows\SysWOW64\windowsdriver.dll
    Filesize

    75.1MB

    MD5

    882b72abf046c1eb874068fdf07a9ada

    SHA1

    7000271d35529e52862dc042d0732c8104f596ba

    SHA256

    5585ee587bdee53cafeb6bfc9d04fc0e3430ec04fa6dbc21a3e2965bd101dbdc

    SHA512

    caa21457fe6ea89600579cad428fe942fd8cdefe21ab9c8133aac722325ab4b03da684cd2971290e7221458c292580eed95e248c0fa226a822895a5ee31c1c17

    Download Submit

  • \Windows\SysWOW64\Uninstall alexa.exe
    Filesize

    5KB

    MD5

    9bf96f2e3dccb1d57295068cedaae0a5

    SHA1

    44d5a873f2acf0988877f88ae61e93070ba280b9

    SHA256

    0ab113aa05ed6326b3e38fec1dc7142ce7764eacd03fa8af4f1f6351d43966e2

    SHA512

    0077f7ff1fc171d63d6df9c96d7d5836b5762000aeab6ead3d182c2c5097235c57219cef666c0254d63a7542ea67f7d98bfe0d22992f6e2607fd154789e31ce2

    Download Submit

  • \Windows\SysWOW64\WindowsDriver.dll
    Filesize

    75.1MB

    MD5

    882b72abf046c1eb874068fdf07a9ada

    SHA1

    7000271d35529e52862dc042d0732c8104f596ba

    SHA256

    5585ee587bdee53cafeb6bfc9d04fc0e3430ec04fa6dbc21a3e2965bd101dbdc

    SHA512

    caa21457fe6ea89600579cad428fe942fd8cdefe21ab9c8133aac722325ab4b03da684cd2971290e7221458c292580eed95e248c0fa226a822895a5ee31c1c17

    Download Submit

  • \Windows\SysWOW64\WindowsDriver.dll
    Filesize

    75.1MB

    MD5

    882b72abf046c1eb874068fdf07a9ada

    SHA1

    7000271d35529e52862dc042d0732c8104f596ba

    SHA256

    5585ee587bdee53cafeb6bfc9d04fc0e3430ec04fa6dbc21a3e2965bd101dbdc

    SHA512

    caa21457fe6ea89600579cad428fe942fd8cdefe21ab9c8133aac722325ab4b03da684cd2971290e7221458c292580eed95e248c0fa226a822895a5ee31c1c17

    Download Submit

  • \Windows\SysWOW64\WindowsDriver.dll
    Filesize

    75.1MB

    MD5

    882b72abf046c1eb874068fdf07a9ada

    SHA1

    7000271d35529e52862dc042d0732c8104f596ba

    SHA256

    5585ee587bdee53cafeb6bfc9d04fc0e3430ec04fa6dbc21a3e2965bd101dbdc

    SHA512

    caa21457fe6ea89600579cad428fe942fd8cdefe21ab9c8133aac722325ab4b03da684cd2971290e7221458c292580eed95e248c0fa226a822895a5ee31c1c17

    Download Submit

  • \Windows\SysWOW64\WindowsDriver.dll
    Filesize

    75.1MB

    MD5

    882b72abf046c1eb874068fdf07a9ada

    SHA1

    7000271d35529e52862dc042d0732c8104f596ba

    SHA256

    5585ee587bdee53cafeb6bfc9d04fc0e3430ec04fa6dbc21a3e2965bd101dbdc

    SHA512

    caa21457fe6ea89600579cad428fe942fd8cdefe21ab9c8133aac722325ab4b03da684cd2971290e7221458c292580eed95e248c0fa226a822895a5ee31c1c17

    Download Submit

  • \Windows\SysWOW64\WindowsDriver.dll
    Filesize

    75.1MB

    MD5

    882b72abf046c1eb874068fdf07a9ada

    SHA1

    7000271d35529e52862dc042d0732c8104f596ba

    SHA256

    5585ee587bdee53cafeb6bfc9d04fc0e3430ec04fa6dbc21a3e2965bd101dbdc

    SHA512

    caa21457fe6ea89600579cad428fe942fd8cdefe21ab9c8133aac722325ab4b03da684cd2971290e7221458c292580eed95e248c0fa226a822895a5ee31c1c17

    Download Submit

  • memory/1708-55-0x0000000000980000-0x00000000009CE000-memory.dmp

    Filesize

    312KB

    Download

  • memory/1708-59-0x0000000000980000-0x00000000009CE000-memory.dmp

    Filesize

    312KB

    Download

  • memory/1708-54-0x0000000076121000-0x0000000076123000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1948-68-0x0000000010000000-0x0000000010025000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2008-61-0x0000000010000000-0x0000000010025000-memory.dmp

    Filesize

    148KB

    Download