Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
71s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02/10/2022, 10:51
Static task
static1
Behavioral task
behavioral1
Sample
5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe
Resource
win10v2004-20220812-en
General
-
Target
5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe
-
Size
653KB
-
MD5
6f037d17c6329d9588780ec79f8e9340
-
SHA1
449dce3cb321e3a47b54265830b833e5625f37a1
-
SHA256
5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38
-
SHA512
f195bb8962bda57898f6801e9071d8659d2bad8af22642e8b946072f6442ab05eee8c08d88f99a013e9ca28d96c233f0ecbe0a5b30e7e653a1f35de511eccf2d
-
SSDEEP
12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1932 buovpet.exe 2032 ~DFA4F.tmp 1732 mogyxot.exe -
Deletes itself 1 IoCs
pid Process 1696 cmd.exe -
Loads dropped DLL 3 IoCs
pid Process 864 5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe 1932 buovpet.exe 2032 ~DFA4F.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 1732 mogyxot.exe 1732 mogyxot.exe 1732 mogyxot.exe 1732 mogyxot.exe 1732 mogyxot.exe 1732 mogyxot.exe 1732 mogyxot.exe 1732 mogyxot.exe 1732 mogyxot.exe 1732 mogyxot.exe 1732 mogyxot.exe 1732 mogyxot.exe 1732 mogyxot.exe 1732 mogyxot.exe 1732 mogyxot.exe 1732 mogyxot.exe 1732 mogyxot.exe 1732 mogyxot.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2032 ~DFA4F.tmp -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 864 wrote to memory of 1932 864 5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe 27 PID 864 wrote to memory of 1932 864 5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe 27 PID 864 wrote to memory of 1932 864 5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe 27 PID 864 wrote to memory of 1932 864 5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe 27 PID 1932 wrote to memory of 2032 1932 buovpet.exe 28 PID 1932 wrote to memory of 2032 1932 buovpet.exe 28 PID 1932 wrote to memory of 2032 1932 buovpet.exe 28 PID 1932 wrote to memory of 2032 1932 buovpet.exe 28 PID 864 wrote to memory of 1696 864 5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe 29 PID 864 wrote to memory of 1696 864 5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe 29 PID 864 wrote to memory of 1696 864 5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe 29 PID 864 wrote to memory of 1696 864 5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe 29 PID 2032 wrote to memory of 1732 2032 ~DFA4F.tmp 31 PID 2032 wrote to memory of 1732 2032 ~DFA4F.tmp 31 PID 2032 wrote to memory of 1732 2032 ~DFA4F.tmp 31 PID 2032 wrote to memory of 1732 2032 ~DFA4F.tmp 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe"C:\Users\Admin\AppData\Local\Temp\5c073170c04c30363e9aa26a5079185d2750d4f6ba92ea5e9377c9dbdee4eb38.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Users\Admin\AppData\Local\Temp\buovpet.exeC:\Users\Admin\AppData\Local\Temp\buovpet.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\~DFA4F.tmpC:\Users\Admin\AppData\Local\Temp\~DFA4F.tmp OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\mogyxot.exe"C:\Users\Admin\AppData\Local\Temp\mogyxot.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1732
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "2⤵
- Deletes itself
PID:1696
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
341B
MD5727a8a11bbc13b55c31696ee7f03c54e
SHA1f316e869e5c89d5801294fc1b61d1380edf498f1
SHA256ed86410b977699bedcae441373ed5a9a71740c624028fb9414299f4019fe212e
SHA512cac20385509df1989397048c94f419b752ad594ceafbb8320ec12c64dc2655a39ec236d74a639ac6c97037c8381854e0c83b69692eb2b1f67dd38de27eee7512
-
Filesize
662KB
MD55a76ce0de3b184d8fdeaf4b6d5e88b34
SHA17d31c46243cd00db3f8ba8b5423d330a95f70c9b
SHA256c3259d41b5794239b8b0aecb095e3cf073a44ea78d5c980d6c8f0b8322b61101
SHA512b77b3e8289bc10398af5871ca7ed76879cd53ad171542a4f4864a0e46260043f5e847f28852714fb8f3588997786320449792d3214d1cb3438684aeb509f93bf
-
Filesize
662KB
MD55a76ce0de3b184d8fdeaf4b6d5e88b34
SHA17d31c46243cd00db3f8ba8b5423d330a95f70c9b
SHA256c3259d41b5794239b8b0aecb095e3cf073a44ea78d5c980d6c8f0b8322b61101
SHA512b77b3e8289bc10398af5871ca7ed76879cd53ad171542a4f4864a0e46260043f5e847f28852714fb8f3588997786320449792d3214d1cb3438684aeb509f93bf
-
Filesize
104B
MD586bb2dbeaef655893262f3c041f6afe2
SHA11b26ff1241c1353bd506c18bd0c11878076ba65d
SHA2564a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2
SHA51258294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31
-
Filesize
480B
MD54fbf1651c3833996fd969361d6d3c203
SHA16be27179a4234c30564b4f08217f2eb0f07f62ab
SHA256116f3600c742a0d3e00c0d71c724b492fa7edef54e526426598564be7129c766
SHA512105716d41d6f8e67b2c0b937c2ea8ccca56fe7dc6227a9ea9d0e98cc6d442e74d9a473dd9ce351add9adb46f0c7c5975b6f50c466b77dd8d9123753562b1fc9f
-
Filesize
398KB
MD57d1f5f4e8e318735dc3538152433e955
SHA1630d95e0cbe953d416e76e526ff2ebee011d6ac8
SHA25621eb2f7998a79b618991e6e8420c365091de970dafcb6f5d5bc21057a0ec8ecb
SHA512132177aaeabec92f276ee89bc1a664fe98f4fcf69441dc8b852c06683d8ed3c09823e1068cc4ca213fdea4a033511f25dde66a07db2e7df7d83bc443393c9366
-
Filesize
671KB
MD5695553221f1da5818710606b73bf410d
SHA199ef379aa6d4bff4fbcc5d0340fafa696c15b97c
SHA25624d51d64b5b26472337708ff2f42fb1002f14cd5cfb1f1ab67d212ebf3a1cc11
SHA5125d47d5c836217f546c8c042aa4a01707d5e4c88edbfc4f18662ba68d8dbee56616a5d11579fe890b8d04feab270650f489aedabf12290fb2643d64d0ecb1ef55
-
Filesize
662KB
MD55a76ce0de3b184d8fdeaf4b6d5e88b34
SHA17d31c46243cd00db3f8ba8b5423d330a95f70c9b
SHA256c3259d41b5794239b8b0aecb095e3cf073a44ea78d5c980d6c8f0b8322b61101
SHA512b77b3e8289bc10398af5871ca7ed76879cd53ad171542a4f4864a0e46260043f5e847f28852714fb8f3588997786320449792d3214d1cb3438684aeb509f93bf
-
Filesize
398KB
MD57d1f5f4e8e318735dc3538152433e955
SHA1630d95e0cbe953d416e76e526ff2ebee011d6ac8
SHA25621eb2f7998a79b618991e6e8420c365091de970dafcb6f5d5bc21057a0ec8ecb
SHA512132177aaeabec92f276ee89bc1a664fe98f4fcf69441dc8b852c06683d8ed3c09823e1068cc4ca213fdea4a033511f25dde66a07db2e7df7d83bc443393c9366
-
Filesize
671KB
MD5695553221f1da5818710606b73bf410d
SHA199ef379aa6d4bff4fbcc5d0340fafa696c15b97c
SHA25624d51d64b5b26472337708ff2f42fb1002f14cd5cfb1f1ab67d212ebf3a1cc11
SHA5125d47d5c836217f546c8c042aa4a01707d5e4c88edbfc4f18662ba68d8dbee56616a5d11579fe890b8d04feab270650f489aedabf12290fb2643d64d0ecb1ef55