Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
83s -
max time network
88s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02/10/2022, 09:20
Static task
static1
Behavioral task
behavioral1
Sample
9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe
Resource
win10v2004-20220812-en
General
-
Target
9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe
-
Size
85KB
-
MD5
6e032993d60b0418ccbf429a286c7707
-
SHA1
887de4741139d9becedc4eec8c348b48b1f75c60
-
SHA256
9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e
-
SHA512
345bc05026b166d8656dc33088f913232ce13d1d42fbdea8cfffc354a38da7ff4eb2da49ede72c7185ff17591e29294f827ce60110817d12cfe7b3f5c13f8674
-
SSDEEP
1536:i3LSNZSOyF6Aewor4ZXkl3CkSRpliHyPm:UutyxfVxIyLiS
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 836 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\3039414000 = "C:\\Users\\Admin\\3039414000.exe" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1988 9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe Token: SeShutdownPrivilege 856 shutdown.exe Token: SeRemoteShutdownPrivilege 856 shutdown.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1988 9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1988 wrote to memory of 1756 1988 9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe 27 PID 1988 wrote to memory of 1756 1988 9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe 27 PID 1988 wrote to memory of 1756 1988 9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe 27 PID 1988 wrote to memory of 1756 1988 9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe 27 PID 1756 wrote to memory of 1508 1756 cmd.exe 29 PID 1756 wrote to memory of 1508 1756 cmd.exe 29 PID 1756 wrote to memory of 1508 1756 cmd.exe 29 PID 1756 wrote to memory of 1508 1756 cmd.exe 29 PID 1988 wrote to memory of 856 1988 9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe 30 PID 1988 wrote to memory of 856 1988 9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe 30 PID 1988 wrote to memory of 856 1988 9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe 30 PID 1988 wrote to memory of 856 1988 9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe 30 PID 1988 wrote to memory of 836 1988 9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe 32 PID 1988 wrote to memory of 836 1988 9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe 32 PID 1988 wrote to memory of 836 1988 9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe 32 PID 1988 wrote to memory of 836 1988 9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe"C:\Users\Admin\AppData\Local\Temp\9cf6080f65d106db855775d5325fb41ee15a6c90e111adfbadaf6a0466384d4e.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\cmd.execmd.exe /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 3039414000 /t REG_SZ /d "%userprofile%\3039414000.exe" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 3039414000 /t REG_SZ /d "C:\Users\Admin\3039414000.exe" /f3⤵
- Adds Run key to start application
PID:1508
-
-
-
C:\Windows\SysWOW64\shutdown.exe"C:\Windows\System32\shutdown.exe" /r /f /t 32⤵
- Suspicious use of AdjustPrivilegeToken
PID:856
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\9CF608~1.EXE > nul2⤵
- Deletes itself
PID:836
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:1572
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:1480