Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
75s -
max time network
73s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19/09/2022, 14:05
Static task
static1
Behavioral task
behavioral1
Sample
55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe
Resource
win10v2004-20220812-en
General
-
Target
55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe
-
Size
179KB
-
MD5
4254a38cd7d8fcda7bf9908659da9800
-
SHA1
131acfda848702a843cc2f8c41c9dc908c2137a3
-
SHA256
55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69
-
SHA512
69bef79c0dffdd06ecd4b265579d18ff0991cc8002efb7cf173b74ef1bae1c2d59d7df955b99ee44e66333502249c316d48d355395eeb6fdb67d4c4f48d58f2d
-
SSDEEP
3072:dBAp5XhKpN4eOyVTGfhEClj8jTk+0hEH3FnzbwM7jE:YbXE9OiTGfhEClq97H1YMs
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 3 2032 WScript.exe 5 2032 WScript.exe -
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe File opened for modification C:\Windows\System32\drivers\etc\hosts WScript.exe File opened for modification C:\Windows\System32\drivers\etc\hîsts WScript.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\LuaZ\PTka\kroka.txt 55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe File opened for modification C:\Program Files (x86)\LuaZ\PTka\_nekjg_jdkgsfkj.bat 55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe File opened for modification C:\Program Files (x86)\LuaZ\PTka\nasdfsfgdfsdfgkrasit.vbs 55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe File opened for modification C:\Program Files (x86)\LuaZ\PTka\i1_r2123r23r23r234at.vbs 55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1604 wrote to memory of 840 1604 55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe 28 PID 1604 wrote to memory of 840 1604 55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe 28 PID 1604 wrote to memory of 840 1604 55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe 28 PID 1604 wrote to memory of 840 1604 55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe 28 PID 1604 wrote to memory of 2032 1604 55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe 30 PID 1604 wrote to memory of 2032 1604 55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe 30 PID 1604 wrote to memory of 2032 1604 55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe 30 PID 1604 wrote to memory of 2032 1604 55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe 30 PID 1604 wrote to memory of 2024 1604 55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe 31 PID 1604 wrote to memory of 2024 1604 55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe 31 PID 1604 wrote to memory of 2024 1604 55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe 31 PID 1604 wrote to memory of 2024 1604 55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe"C:\Users\Admin\AppData\Local\Temp\55f8c0b56183c17c0230ea699a7d65d62d2875f8deda8c2f5defd677d9805d69.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files (x86)\LuaZ\PTka\_nekjg_jdkgsfkj.bat" "2⤵
- Drops file in Drivers directory
PID:840
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\LuaZ\PTka\nasdfsfgdfsdfgkrasit.vbs"2⤵
- Blocklisted process makes network request
PID:2032
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\LuaZ\PTka\i1_r2123r23r23r234at.vbs"2⤵
- Drops file in Drivers directory
PID:2024
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5173c9456ba55dc96ae2f814d7dc8498d
SHA18be3e551437923443a674696bffddcf00feca5f6
SHA25636a29ba74c9699a3669f7028e8e81407c7c33902bc8b0fd7ccbc0ee1874ddb66
SHA512c590a297368ee6f7d7888105afca6cbca730086b3e614ccb4e38cde87497693ec410faf8e1e2586e5bceec4be0505f007fac04d93d05773a213729f064a9951a
-
Filesize
547B
MD595b51611c95969446d7f040364a432d9
SHA1ab6ecb745d97b15c9643b9dc525c12852e05c200
SHA256530bdad03da31c4ce33c5c2bf3eaadd36d907d9ae7c55b71a5489be86684af52
SHA5129aa32ef67bc21a979f7d62178cfd4c6703f220fb853dfb18b48f31447744fed849e5bf0a76bb60ecb711d0008375623dcf8b5ce2d36b22a6f5dbe72a5dc5b70e
-
Filesize
44B
MD5e3bc75de29aaa206dbcf7a00e5044b55
SHA1c4aae8959c0cbe2524e532806582ed93764e4997
SHA2568d7f2d6aa8a170ecddeb3980e3519a522fdfd364a106b87da3b2d138207d8b6f
SHA512ffd1dcbc08bf6b5d3da6271b24bd3f5cb1f9b4525169efa6943aebba4b6fb5e7af1ae22d68bc039144e9cc120c8fd558b73ad03f629df10cc695f7d66009acc3
-
Filesize
381B
MD5a7a6ceb36ffee1ab53f843fe510ed946
SHA1dadc4a91d8cace6e25d4f18c1198619e405202ca
SHA256f86d6c0ae3e4159757eb2285d9e43eb1a0d96b152d5be3d469ae279324f1e9aa
SHA512849ea144d89f787fa4654a727fc4e138efc7a2423f299fd7d1d072af0ef0247bb1294c8add800b911115f97a8a73c1aafe83ae677225ef2d66293a4c6859055f
-
Filesize
1KB
MD59b9285872ec42104cedb8def1ba2a600
SHA143526f37ebe628b5a031b2aa3e0ae978b62129a1
SHA2564b587ccb2280a8b09dc0f770e1a2badeee96c9080a3f4a93d1078df93c118f96
SHA512d7a37e15f12e3e9a752cec5b332dd2614a30149e7a63dbee7390d99f79ef0015c6eab45671197430cc12b8fc1cd14ab7443c26c0823eb93cda9ec9176a8989fd