Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    75s
  • max time network
    73s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2022, 14:05

General

  • Target

    55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe

  • Size

    179KB

  • MD5

    4254a38cd7d8fcda7bf9908659da9800

  • SHA1

    131acfda848702a843cc2f8c41c9dc908c2137a3

  • SHA256

    55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69

  • SHA512

    69bef79c0dffdd06ecd4b265579d18ff0991cc8002efb7cf173b74ef1bae1c2d59d7df955b99ee44e66333502249c316d48d355395eeb6fdb67d4c4f48d58f2d

  • SSDEEP

    3072:dBAp5XhKpN4eOyVTGfhEClj8jTk+0hEH3FnzbwM7jE:YbXE9OiTGfhEClq97H1YMs

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe
    "C:\Users\Admin\AppData\Local\Temp\55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1604
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files (x86)\LuaZ\PTka\_nekjg_jdkgsfkj.bat" "
      2⤵
      • Drops file in Drivers directory
      PID:840
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\LuaZ\PTka\nasdfsfgdfsdfgkrasit.vbs"
      2⤵
      • Blocklisted process makes network request
      PID:2032
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\LuaZ\PTka\i1_r2123r23r23r234at.vbs"
      2⤵
      • Drops file in Drivers directory
      PID:2024

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\LuaZ\PTka\_nekjg_jdkgsfkj.bat

    Filesize

    2KB

    MD5

    173c9456ba55dc96ae2f814d7dc8498d

    SHA1

    8be3e551437923443a674696bffddcf00feca5f6

    SHA256

    36a29ba74c9699a3669f7028e8e81407c7c33902bc8b0fd7ccbc0ee1874ddb66

    SHA512

    c590a297368ee6f7d7888105afca6cbca730086b3e614ccb4e38cde87497693ec410faf8e1e2586e5bceec4be0505f007fac04d93d05773a213729f064a9951a

  • C:\Program Files (x86)\LuaZ\PTka\i1_r2123r23r23r234at.vbs

    Filesize

    547B

    MD5

    95b51611c95969446d7f040364a432d9

    SHA1

    ab6ecb745d97b15c9643b9dc525c12852e05c200

    SHA256

    530bdad03da31c4ce33c5c2bf3eaadd36d907d9ae7c55b71a5489be86684af52

    SHA512

    9aa32ef67bc21a979f7d62178cfd4c6703f220fb853dfb18b48f31447744fed849e5bf0a76bb60ecb711d0008375623dcf8b5ce2d36b22a6f5dbe72a5dc5b70e

  • C:\Program Files (x86)\LuaZ\PTka\kroka.txt

    Filesize

    44B

    MD5

    e3bc75de29aaa206dbcf7a00e5044b55

    SHA1

    c4aae8959c0cbe2524e532806582ed93764e4997

    SHA256

    8d7f2d6aa8a170ecddeb3980e3519a522fdfd364a106b87da3b2d138207d8b6f

    SHA512

    ffd1dcbc08bf6b5d3da6271b24bd3f5cb1f9b4525169efa6943aebba4b6fb5e7af1ae22d68bc039144e9cc120c8fd558b73ad03f629df10cc695f7d66009acc3

  • C:\Program Files (x86)\LuaZ\PTka\nasdfsfgdfsdfgkrasit.vbs

    Filesize

    381B

    MD5

    a7a6ceb36ffee1ab53f843fe510ed946

    SHA1

    dadc4a91d8cace6e25d4f18c1198619e405202ca

    SHA256

    f86d6c0ae3e4159757eb2285d9e43eb1a0d96b152d5be3d469ae279324f1e9aa

    SHA512

    849ea144d89f787fa4654a727fc4e138efc7a2423f299fd7d1d072af0ef0247bb1294c8add800b911115f97a8a73c1aafe83ae677225ef2d66293a4c6859055f

  • C:\Windows\System32\drivers\etc\hosts

    Filesize

    1KB

    MD5

    9b9285872ec42104cedb8def1ba2a600

    SHA1

    43526f37ebe628b5a031b2aa3e0ae978b62129a1

    SHA256

    4b587ccb2280a8b09dc0f770e1a2badeee96c9080a3f4a93d1078df93c118f96

    SHA512

    d7a37e15f12e3e9a752cec5b332dd2614a30149e7a63dbee7390d99f79ef0015c6eab45671197430cc12b8fc1cd14ab7443c26c0823eb93cda9ec9176a8989fd

  • memory/1604-54-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

    Filesize

    8KB