Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/10/2022, 12:10
Static task
static1
Behavioral task
behavioral1
Sample
f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe
Resource
win10v2004-20220812-en
General
-
Target
f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe
-
Size
649KB
-
MD5
65dea0fc97d6416507dbc9721c86a470
-
SHA1
e86f2e4c0a833815e1aab94449077fb6fa3ee00e
-
SHA256
f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787
-
SHA512
692df3f336c72744038bf7460f8a526b972fe5d9a522396aa7959f3027999df6fc01460c13ef9680262a8d29b740c1ffe4809a8a80519d719a950acf673dad73
-
SSDEEP
12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 884 agnacil.exe 1412 ~DFA6A.tmp 1860 yjkoopq.exe -
Deletes itself 1 IoCs
pid Process 1380 cmd.exe -
Loads dropped DLL 3 IoCs
pid Process 1852 f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe 884 agnacil.exe 1412 ~DFA6A.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1860 yjkoopq.exe 1860 yjkoopq.exe 1860 yjkoopq.exe 1860 yjkoopq.exe 1860 yjkoopq.exe 1860 yjkoopq.exe 1860 yjkoopq.exe 1860 yjkoopq.exe 1860 yjkoopq.exe 1860 yjkoopq.exe 1860 yjkoopq.exe 1860 yjkoopq.exe 1860 yjkoopq.exe 1860 yjkoopq.exe 1860 yjkoopq.exe 1860 yjkoopq.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1412 ~DFA6A.tmp -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1852 wrote to memory of 884 1852 f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe 28 PID 1852 wrote to memory of 884 1852 f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe 28 PID 1852 wrote to memory of 884 1852 f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe 28 PID 1852 wrote to memory of 884 1852 f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe 28 PID 884 wrote to memory of 1412 884 agnacil.exe 29 PID 884 wrote to memory of 1412 884 agnacil.exe 29 PID 884 wrote to memory of 1412 884 agnacil.exe 29 PID 884 wrote to memory of 1412 884 agnacil.exe 29 PID 1852 wrote to memory of 1380 1852 f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe 30 PID 1852 wrote to memory of 1380 1852 f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe 30 PID 1852 wrote to memory of 1380 1852 f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe 30 PID 1852 wrote to memory of 1380 1852 f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe 30 PID 1412 wrote to memory of 1860 1412 ~DFA6A.tmp 32 PID 1412 wrote to memory of 1860 1412 ~DFA6A.tmp 32 PID 1412 wrote to memory of 1860 1412 ~DFA6A.tmp 32 PID 1412 wrote to memory of 1860 1412 ~DFA6A.tmp 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe"C:\Users\Admin\AppData\Local\Temp\f882435caaf88b0670a80a6374d86cd1b59b783b245d88e5dddc3ec574432787.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\agnacil.exeC:\Users\Admin\AppData\Local\Temp\agnacil.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Users\Admin\AppData\Local\Temp\~DFA6A.tmpC:\Users\Admin\AppData\Local\Temp\~DFA6A.tmp OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Users\Admin\AppData\Local\Temp\yjkoopq.exe"C:\Users\Admin\AppData\Local\Temp\yjkoopq.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1860
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "2⤵
- Deletes itself
PID:1380
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
341B
MD514ad64e70a4e83a26ee7753f49662923
SHA101dc7abbb05ab6416fdff4db72d6a4056310a40e
SHA256e5e2feba7c153d7a6dc0f678b63829b0fe1ae5a38bb71f80fc95c55acaa8ca4b
SHA51278f1acfb202fba0109d48c083a50771960f0b74053edd066ac249c990ac50dc9a331236b8579ef923a6ec30c00af41320791f5ae19a4d44e30ed1c7627ed6528
-
Filesize
654KB
MD587f51dda503d174e8c91ca00d20fd6e8
SHA18c36159094e3f05a3c2808936edc5c65fb731ec9
SHA25601ded84ff102e3795fcba3af08b89bde6b900648047fe95b62582f671dbd51ae
SHA5125ab59f87d6c10a12cf53e3bd0f6350e9ec7a7e8b50b2697906ddf3cd6f09f356f68c6ff547a2599c437a8c8e0d3b0ba5b7ce8ba137b95123850abe138f7b40ce
-
Filesize
654KB
MD587f51dda503d174e8c91ca00d20fd6e8
SHA18c36159094e3f05a3c2808936edc5c65fb731ec9
SHA25601ded84ff102e3795fcba3af08b89bde6b900648047fe95b62582f671dbd51ae
SHA5125ab59f87d6c10a12cf53e3bd0f6350e9ec7a7e8b50b2697906ddf3cd6f09f356f68c6ff547a2599c437a8c8e0d3b0ba5b7ce8ba137b95123850abe138f7b40ce
-
Filesize
104B
MD586bb2dbeaef655893262f3c041f6afe2
SHA11b26ff1241c1353bd506c18bd0c11878076ba65d
SHA2564a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2
SHA51258294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31
-
Filesize
480B
MD5bb58f783db097c117c0dfc3ab873ca00
SHA17463fb1762eda75d45e1e1400517318d7c243eac
SHA256b28cf60ef74bc8712e3f9f794998eb34dfefb6bad8a9c0662194158a2e9c9390
SHA512f0ce874bde3f4ba8306e4ecde6db40d8b441066b0ff79604c04842cb08d7ec69b2ca5a1c3634b8cf32a5ee9785fb9c528c0972b7146a79c7f27a23c697be750e
-
Filesize
398KB
MD5943ec8ced29422f0af0b05de61542d07
SHA1d34bec439b326796ec527471371b15062350ea50
SHA2567c1a2ff8b4d31b4df9e59848a9cb08556004c3dd78cfba87500f3c7770c5851f
SHA512ca0db43e592f0ae7da963b8ad462096c2a9ee1274b640c4be35fb39aa94112d8160bf6250499e87d148bcf938daf9880065e3f66adf6be5ca570853b057f57d8
-
Filesize
661KB
MD5fe02ae1cd05466a03c7deccf475439d9
SHA1d7592f1f17e726c96a54ded584c7a31ca993e88f
SHA2567d9893cdd66c6eb901e3305f8a93c2838ca5326debaf80c19385a9f4b6ead597
SHA512f3c9d391ac1349b9698713e3857278d3634ef05df7a21962065c77e66f36fba74bb29d3463c45d4ed5123f6dda132ad7b67df74aeaaedbf0fd15341ff449163c
-
Filesize
654KB
MD587f51dda503d174e8c91ca00d20fd6e8
SHA18c36159094e3f05a3c2808936edc5c65fb731ec9
SHA25601ded84ff102e3795fcba3af08b89bde6b900648047fe95b62582f671dbd51ae
SHA5125ab59f87d6c10a12cf53e3bd0f6350e9ec7a7e8b50b2697906ddf3cd6f09f356f68c6ff547a2599c437a8c8e0d3b0ba5b7ce8ba137b95123850abe138f7b40ce
-
Filesize
398KB
MD5943ec8ced29422f0af0b05de61542d07
SHA1d34bec439b326796ec527471371b15062350ea50
SHA2567c1a2ff8b4d31b4df9e59848a9cb08556004c3dd78cfba87500f3c7770c5851f
SHA512ca0db43e592f0ae7da963b8ad462096c2a9ee1274b640c4be35fb39aa94112d8160bf6250499e87d148bcf938daf9880065e3f66adf6be5ca570853b057f57d8
-
Filesize
661KB
MD5fe02ae1cd05466a03c7deccf475439d9
SHA1d7592f1f17e726c96a54ded584c7a31ca993e88f
SHA2567d9893cdd66c6eb901e3305f8a93c2838ca5326debaf80c19385a9f4b6ead597
SHA512f3c9d391ac1349b9698713e3857278d3634ef05df7a21962065c77e66f36fba74bb29d3463c45d4ed5123f6dda132ad7b67df74aeaaedbf0fd15341ff449163c