Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19/09/2022, 14:51
Behavioral task
behavioral1
Sample
3ecf06a01abb97a4fc4f2a91242d1c8a05386aaec37438178325cf2d3adb0cae.exe
Resource
win7-20220812-en
General
-
Target
3ecf06a01abb97a4fc4f2a91242d1c8a05386aaec37438178325cf2d3adb0cae.exe
-
Size
298KB
-
MD5
1e8f0889c59378e310770338bd32ef79
-
SHA1
7a0737c5b4dce1430f2f56cfaae4a8345ac69d66
-
SHA256
3ecf06a01abb97a4fc4f2a91242d1c8a05386aaec37438178325cf2d3adb0cae
-
SHA512
9326ad541217ee30b568af1d64e79378727f1ad16d9880d90ef05994788cc74e82d6d6b329576240a071d0b6c99bb8780771d3aad244b622b2beec5d117eedf9
-
SSDEEP
6144:EuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIYh:v6Wq4aaE6KwyF5L0Y2D1PqLg
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" svhost.exe -
Executes dropped EXE 2 IoCs
pid Process 2008 svhost.exe 1452 svhost.exe -
resource yara_rule behavioral1/files/0x00140000000054ab-56.dat upx behavioral1/files/0x00140000000054ab-58.dat upx behavioral1/files/0x00140000000054ab-60.dat upx behavioral1/memory/1440-62-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2008-64-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1452-65-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1440-66-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2008-68-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1452-69-0x0000000000400000-0x00000000004C2000-memory.dmp upx -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\j: svhost.exe File opened (read-only) \??\n: svhost.exe File opened (read-only) \??\t: svhost.exe File opened (read-only) \??\i: svhost.exe File opened (read-only) \??\b: svhost.exe File opened (read-only) \??\e: svhost.exe File opened (read-only) \??\f: svhost.exe File opened (read-only) \??\g: svhost.exe File opened (read-only) \??\h: svhost.exe File opened (read-only) \??\p: svhost.exe File opened (read-only) \??\r: svhost.exe File opened (read-only) \??\a: svhost.exe File opened (read-only) \??\v: svhost.exe File opened (read-only) \??\y: svhost.exe File opened (read-only) \??\s: svhost.exe File opened (read-only) \??\m: svhost.exe File opened (read-only) \??\w: svhost.exe File opened (read-only) \??\x: svhost.exe File opened (read-only) \??\z: svhost.exe File opened (read-only) \??\l: svhost.exe File opened (read-only) \??\o: svhost.exe File opened (read-only) \??\q: svhost.exe File opened (read-only) \??\u: svhost.exe File opened (read-only) \??\k: svhost.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1440-62-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2008-64-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1452-65-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1440-66-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2008-68-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1452-69-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\svhost.exe 3ecf06a01abb97a4fc4f2a91242d1c8a05386aaec37438178325cf2d3adb0cae.exe File opened for modification C:\Windows\Driver.db svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1440 3ecf06a01abb97a4fc4f2a91242d1c8a05386aaec37438178325cf2d3adb0cae.exe 2008 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1440 3ecf06a01abb97a4fc4f2a91242d1c8a05386aaec37438178325cf2d3adb0cae.exe 1440 3ecf06a01abb97a4fc4f2a91242d1c8a05386aaec37438178325cf2d3adb0cae.exe 2008 svhost.exe 2008 svhost.exe 1452 svhost.exe 1452 svhost.exe 2008 svhost.exe 1440 3ecf06a01abb97a4fc4f2a91242d1c8a05386aaec37438178325cf2d3adb0cae.exe 1452 svhost.exe 1452 svhost.exe 2008 svhost.exe 1440 3ecf06a01abb97a4fc4f2a91242d1c8a05386aaec37438178325cf2d3adb0cae.exe 2008 svhost.exe 1440 3ecf06a01abb97a4fc4f2a91242d1c8a05386aaec37438178325cf2d3adb0cae.exe 1452 svhost.exe 2008 svhost.exe 1440 3ecf06a01abb97a4fc4f2a91242d1c8a05386aaec37438178325cf2d3adb0cae.exe 1452 svhost.exe 2008 svhost.exe 1440 3ecf06a01abb97a4fc4f2a91242d1c8a05386aaec37438178325cf2d3adb0cae.exe 2008 svhost.exe 1440 3ecf06a01abb97a4fc4f2a91242d1c8a05386aaec37438178325cf2d3adb0cae.exe 1452 svhost.exe 2008 svhost.exe 1440 3ecf06a01abb97a4fc4f2a91242d1c8a05386aaec37438178325cf2d3adb0cae.exe 1440 3ecf06a01abb97a4fc4f2a91242d1c8a05386aaec37438178325cf2d3adb0cae.exe 1452 svhost.exe 2008 svhost.exe 2008 svhost.exe 1452 svhost.exe 2008 svhost.exe 1452 svhost.exe 2008 svhost.exe 2008 svhost.exe 1452 svhost.exe 2008 svhost.exe 2008 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1440 3ecf06a01abb97a4fc4f2a91242d1c8a05386aaec37438178325cf2d3adb0cae.exe 1440 3ecf06a01abb97a4fc4f2a91242d1c8a05386aaec37438178325cf2d3adb0cae.exe 2008 svhost.exe 2008 svhost.exe 1452 svhost.exe 1452 svhost.exe 2008 svhost.exe 1440 3ecf06a01abb97a4fc4f2a91242d1c8a05386aaec37438178325cf2d3adb0cae.exe 1452 svhost.exe 1452 svhost.exe 2008 svhost.exe 1440 3ecf06a01abb97a4fc4f2a91242d1c8a05386aaec37438178325cf2d3adb0cae.exe 2008 svhost.exe 1440 3ecf06a01abb97a4fc4f2a91242d1c8a05386aaec37438178325cf2d3adb0cae.exe 1452 svhost.exe 2008 svhost.exe 1440 3ecf06a01abb97a4fc4f2a91242d1c8a05386aaec37438178325cf2d3adb0cae.exe 1452 svhost.exe 2008 svhost.exe 1440 3ecf06a01abb97a4fc4f2a91242d1c8a05386aaec37438178325cf2d3adb0cae.exe 2008 svhost.exe 1440 3ecf06a01abb97a4fc4f2a91242d1c8a05386aaec37438178325cf2d3adb0cae.exe 1452 svhost.exe 2008 svhost.exe 1440 3ecf06a01abb97a4fc4f2a91242d1c8a05386aaec37438178325cf2d3adb0cae.exe 1440 3ecf06a01abb97a4fc4f2a91242d1c8a05386aaec37438178325cf2d3adb0cae.exe 1452 svhost.exe 2008 svhost.exe 2008 svhost.exe 1452 svhost.exe 2008 svhost.exe 1452 svhost.exe 2008 svhost.exe 2008 svhost.exe 1452 svhost.exe 2008 svhost.exe 2008 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe 1452 svhost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1440 wrote to memory of 2008 1440 3ecf06a01abb97a4fc4f2a91242d1c8a05386aaec37438178325cf2d3adb0cae.exe 28 PID 1440 wrote to memory of 2008 1440 3ecf06a01abb97a4fc4f2a91242d1c8a05386aaec37438178325cf2d3adb0cae.exe 28 PID 1440 wrote to memory of 2008 1440 3ecf06a01abb97a4fc4f2a91242d1c8a05386aaec37438178325cf2d3adb0cae.exe 28 PID 1440 wrote to memory of 2008 1440 3ecf06a01abb97a4fc4f2a91242d1c8a05386aaec37438178325cf2d3adb0cae.exe 28 PID 2008 wrote to memory of 1452 2008 svhost.exe 29 PID 2008 wrote to memory of 1452 2008 svhost.exe 29 PID 2008 wrote to memory of 1452 2008 svhost.exe 29 PID 2008 wrote to memory of 1452 2008 svhost.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ecf06a01abb97a4fc4f2a91242d1c8a05386aaec37438178325cf2d3adb0cae.exe"C:\Users\Admin\AppData\Local\Temp\3ecf06a01abb97a4fc4f2a91242d1c8a05386aaec37438178325cf2d3adb0cae.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\svhost.exeC:\Windows\svhost.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\svhost.exeC:\Windows\svhost.exe3⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1452
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
298KB
MD558dc0feb1ce40699cf1f9df6c53a7d1a
SHA161e95d60e7f393d0a8d7bcfe574e7f27ac3927b4
SHA2564732f805d7f6bedb7b3f356aadde0657d19df590795af12184c047840e8ebb3c
SHA51224edafe42079fcf36b7f7442c9fef0b1fe4a95ca410c3915c3b5bfddd8f808827974a05bd32e6a52448b6554c1ddea4a4f789fff708eb44c1af887404d39afc5
-
Filesize
298KB
MD558dc0feb1ce40699cf1f9df6c53a7d1a
SHA161e95d60e7f393d0a8d7bcfe574e7f27ac3927b4
SHA2564732f805d7f6bedb7b3f356aadde0657d19df590795af12184c047840e8ebb3c
SHA51224edafe42079fcf36b7f7442c9fef0b1fe4a95ca410c3915c3b5bfddd8f808827974a05bd32e6a52448b6554c1ddea4a4f789fff708eb44c1af887404d39afc5
-
Filesize
298KB
MD558dc0feb1ce40699cf1f9df6c53a7d1a
SHA161e95d60e7f393d0a8d7bcfe574e7f27ac3927b4
SHA2564732f805d7f6bedb7b3f356aadde0657d19df590795af12184c047840e8ebb3c
SHA51224edafe42079fcf36b7f7442c9fef0b1fe4a95ca410c3915c3b5bfddd8f808827974a05bd32e6a52448b6554c1ddea4a4f789fff708eb44c1af887404d39afc5