Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
43s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02/10/2022, 20:54
Static task
static1
Behavioral task
behavioral1
Sample
b0076c13492984647498cf5ac8558ab834a8c63c87d237e1f6211f591de2a9c9.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b0076c13492984647498cf5ac8558ab834a8c63c87d237e1f6211f591de2a9c9.exe
Resource
win10v2004-20220812-en
General
-
Target
b0076c13492984647498cf5ac8558ab834a8c63c87d237e1f6211f591de2a9c9.exe
-
Size
600KB
-
MD5
797871aad1cf127495c446876025ad28
-
SHA1
801f1c3000f8369cc2dad59c85c579ebfabbda04
-
SHA256
b0076c13492984647498cf5ac8558ab834a8c63c87d237e1f6211f591de2a9c9
-
SHA512
d1cea280434c2c64eb229a986a66e7e8deb2d6bf1df06d72d89a3467c9bedbbd8aed9c261e8cc35b8ad64697323ac21a17edab20cc03e71f5d37ee0c60ffba63
-
SSDEEP
12288:i78ByWqjMd2TgDc66CVE8rObc/2izosb5u6uWeZUdE+pznUaH:EsyWqjxgDc6YoObcdoWE/jUdE+pDUaH
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1048 s1186.exe -
Loads dropped DLL 4 IoCs
pid Process 704 b0076c13492984647498cf5ac8558ab834a8c63c87d237e1f6211f591de2a9c9.exe 704 b0076c13492984647498cf5ac8558ab834a8c63c87d237e1f6211f591de2a9c9.exe 704 b0076c13492984647498cf5ac8558ab834a8c63c87d237e1f6211f591de2a9c9.exe 704 b0076c13492984647498cf5ac8558ab834a8c63c87d237e1f6211f591de2a9c9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1048 s1186.exe 1048 s1186.exe 1048 s1186.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1048 s1186.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1048 s1186.exe 1048 s1186.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 704 wrote to memory of 1048 704 b0076c13492984647498cf5ac8558ab834a8c63c87d237e1f6211f591de2a9c9.exe 27 PID 704 wrote to memory of 1048 704 b0076c13492984647498cf5ac8558ab834a8c63c87d237e1f6211f591de2a9c9.exe 27 PID 704 wrote to memory of 1048 704 b0076c13492984647498cf5ac8558ab834a8c63c87d237e1f6211f591de2a9c9.exe 27 PID 704 wrote to memory of 1048 704 b0076c13492984647498cf5ac8558ab834a8c63c87d237e1f6211f591de2a9c9.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0076c13492984647498cf5ac8558ab834a8c63c87d237e1f6211f591de2a9c9.exe"C:\Users\Admin\AppData\Local\Temp\b0076c13492984647498cf5ac8558ab834a8c63c87d237e1f6211f591de2a9c9.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Users\Admin\AppData\Local\Temp\n1186\s1186.exe"C:\Users\Admin\AppData\Local\Temp\n1186\s1186.exe" 7e757072b22cf6735c6f4ee7WfZrJSh6LpTgDMsBQuhRz/RruOdKlthuf4wY0I0RkgxbcPWXvg45YhRgQxBFmMvYgtYB01OkJVNmzlopUdbGrI3+imFlSdUxqtBf1SO8mj1j/UFniVMaLgbS1TyS1tEDjvWTQP/n29p3WnxThZoRxaG+UqP2+FySihLYCA== /v "C:\Users\Admin\AppData\Local\Temp\b0076c13492984647498cf5ac8558ab834a8c63c87d237e1f6211f591de2a9c9.exe" /a2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1048
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
220KB
MD5e2fa37bbdada70ed09883b4f17d0c81a
SHA100b1035472dde2678ba7a6f0836a36bbe02e1db6
SHA256c2e4f6c6fc33a486c8b3620446e421de374d272743efb2b9cc89f2a8ac57a850
SHA5121ead5dfebbed040c2cfafa3da681d986a4ee9d99caa6f0571f981234a3d399586fd344ab6aa0c27c5c4bcd430293341d629cb89e62a92cd1fe8bdad2408f0631
-
Filesize
220KB
MD5e2fa37bbdada70ed09883b4f17d0c81a
SHA100b1035472dde2678ba7a6f0836a36bbe02e1db6
SHA256c2e4f6c6fc33a486c8b3620446e421de374d272743efb2b9cc89f2a8ac57a850
SHA5121ead5dfebbed040c2cfafa3da681d986a4ee9d99caa6f0571f981234a3d399586fd344ab6aa0c27c5c4bcd430293341d629cb89e62a92cd1fe8bdad2408f0631
-
Filesize
220KB
MD5e2fa37bbdada70ed09883b4f17d0c81a
SHA100b1035472dde2678ba7a6f0836a36bbe02e1db6
SHA256c2e4f6c6fc33a486c8b3620446e421de374d272743efb2b9cc89f2a8ac57a850
SHA5121ead5dfebbed040c2cfafa3da681d986a4ee9d99caa6f0571f981234a3d399586fd344ab6aa0c27c5c4bcd430293341d629cb89e62a92cd1fe8bdad2408f0631
-
Filesize
220KB
MD5e2fa37bbdada70ed09883b4f17d0c81a
SHA100b1035472dde2678ba7a6f0836a36bbe02e1db6
SHA256c2e4f6c6fc33a486c8b3620446e421de374d272743efb2b9cc89f2a8ac57a850
SHA5121ead5dfebbed040c2cfafa3da681d986a4ee9d99caa6f0571f981234a3d399586fd344ab6aa0c27c5c4bcd430293341d629cb89e62a92cd1fe8bdad2408f0631
-
Filesize
220KB
MD5e2fa37bbdada70ed09883b4f17d0c81a
SHA100b1035472dde2678ba7a6f0836a36bbe02e1db6
SHA256c2e4f6c6fc33a486c8b3620446e421de374d272743efb2b9cc89f2a8ac57a850
SHA5121ead5dfebbed040c2cfafa3da681d986a4ee9d99caa6f0571f981234a3d399586fd344ab6aa0c27c5c4bcd430293341d629cb89e62a92cd1fe8bdad2408f0631
-
Filesize
220KB
MD5e2fa37bbdada70ed09883b4f17d0c81a
SHA100b1035472dde2678ba7a6f0836a36bbe02e1db6
SHA256c2e4f6c6fc33a486c8b3620446e421de374d272743efb2b9cc89f2a8ac57a850
SHA5121ead5dfebbed040c2cfafa3da681d986a4ee9d99caa6f0571f981234a3d399586fd344ab6aa0c27c5c4bcd430293341d629cb89e62a92cd1fe8bdad2408f0631