Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

dd9ba29e39...70.exe

windows7-x64

9

dd9ba29e39...70.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2022, 13:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dd9ba29e39f279589c477f7044c31cf5f9b85c6edb5b7ce5a3bdd6ca3a854a70.exe

  • Size

    192KB

  • MD5

    631099792acfdeba2ae932a7978f54a6

  • SHA1

    5c37f8c0e13375cca7f7ce2e9a96a19f7ef3a70b

  • SHA256

    dd9ba29e39f279589c477f7044c31cf5f9b85c6edb5b7ce5a3bdd6ca3a854a70

  • SHA512

    4bd71a9749dbbada69a536488de9e363005a805415e88a384f3749ecc8fb0fc6bbc3c67a94d4d7bb13934019a68b7080970e571c695680a40b743e4bc7622eba

  • SSDEEP

    3072:8K5hkw3UT6SMhSl/VuyBzNVu5KT2Uj+TDdRJfkpkercz5PWVlI7I5:RkwClw4tfr05KpcRJcpkQcVPWVlD

Score
9/10
persistenceransomware

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd9ba29e39f279589c477f7044c31cf5f9b85c6edb5b7ce5a3bdd6ca3a854a70.exe
    "C:\Users\Admin\AppData\Local\Temp\dd9ba29e39f279589c477f7044c31cf5f9b85c6edb5b7ce5a3bdd6ca3a854a70.exe"
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1184
    • C:\Windows\syswow64\explorer.exe
      "C:\Windows\syswow64\explorer.exe"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2020
      • C:\Windows\syswow64\svchost.exe
        -k netsvcs
        3⤵
          PID:896
        • C:\Windows\syswow64\vssadmin.exe
          vssadmin.exe Delete Shadows /All /Quiet
          3⤵
          • Interacts with shadow copies
          PID:580
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:932

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/896-63-0x0000000000080000-0x00000000000A5000-memory.dmp

      Filesize

      148KB

      Download

    • memory/1184-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1184-55-0x0000000000290000-0x00000000002A4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1184-56-0x0000000000400000-0x0000000000468000-memory.dmp

      Filesize

      416KB

      Download

    • memory/2020-60-0x0000000074741000-0x0000000074743000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2020-61-0x0000000000080000-0x00000000000A5000-memory.dmp

      Filesize

      148KB

      Download

    • memory/2020-66-0x0000000000080000-0x00000000000A5000-memory.dmp

      Filesize

      148KB

      Download