Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05/10/2022, 19:32
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
General
-
Target
file.exe
-
Size
359KB
-
MD5
b850cae79bd87b5fa5f3762fea7ac52b
-
SHA1
4718c0c9f033471e21ea04e43cd0759761e21224
-
SHA256
8319d37661855ed727fe99fb78a988300b4938e60f4003239ddadf910f4d0da3
-
SHA512
ab27670ae2ac1c7bb72fef1ad4d776b41714c10661478839d878d19f8ad35556769c30d1d82f92f7bcc4e52a6fc8c912acf5ea0f12a3486efe71573194311de4
-
SSDEEP
6144:lRTH+eLVVvJyJ5ysGNQm1sQw+z+xaYW3z5LYuzbgwuQR2QrZwVfUPk:vTXB/yJ5U1sl+2aYa5cunn2QTc
Malware Config
Extracted
nymaim
208.67.104.97
85.31.46.167
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 1784 Cleaner.exe -
Deletes itself 1 IoCs
pid Process 1256 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 824 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1960 1784 WerFault.exe 32 -
Kills process with taskkill 1 IoCs
pid Process 1568 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1996 file.exe 1996 file.exe 1996 file.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1996 file.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1784 Cleaner.exe Token: SeDebugPrivilege 1568 taskkill.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1996 wrote to memory of 824 1996 file.exe 30 PID 1996 wrote to memory of 824 1996 file.exe 30 PID 1996 wrote to memory of 824 1996 file.exe 30 PID 1996 wrote to memory of 824 1996 file.exe 30 PID 824 wrote to memory of 1784 824 cmd.exe 32 PID 824 wrote to memory of 1784 824 cmd.exe 32 PID 824 wrote to memory of 1784 824 cmd.exe 32 PID 824 wrote to memory of 1784 824 cmd.exe 32 PID 1784 wrote to memory of 1960 1784 Cleaner.exe 34 PID 1784 wrote to memory of 1960 1784 Cleaner.exe 34 PID 1784 wrote to memory of 1960 1784 Cleaner.exe 34 PID 1996 wrote to memory of 1256 1996 file.exe 35 PID 1996 wrote to memory of 1256 1996 file.exe 35 PID 1996 wrote to memory of 1256 1996 file.exe 35 PID 1996 wrote to memory of 1256 1996 file.exe 35 PID 1256 wrote to memory of 1568 1256 cmd.exe 37 PID 1256 wrote to memory of 1568 1256 cmd.exe 37 PID 1256 wrote to memory of 1568 1256 cmd.exe 37 PID 1256 wrote to memory of 1568 1256 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\aA7V1dp6r\Cleaner.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Users\Admin\AppData\Local\Temp\aA7V1dp6r\Cleaner.exe"C:\Users\Admin\AppData\Local\Temp\aA7V1dp6r\Cleaner.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1784 -s 11484⤵
- Program crash
PID:1960
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\file.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "file.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1568
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD52ecb51ab00c5f340380ecf849291dbcf
SHA11a4dffbce2a4ce65495ed79eab42a4da3b660931
SHA256f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf
SHA512e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b
-
Filesize
2.4MB
MD579754768767380ef36ef446c6a1709e4
SHA12af83a6e20d7efc3119d312534b3f3968d17776e
SHA256cd6bb6fdf80bec69630a61707383e6430463751463635f35fce42eb97daa7060
SHA5126f88e9e5f5309ff1e87666a8066333660db37f85031db6dbfb28460700a31d303e140f8dd5fe0e71f2de01706ac7e1317b8a6fd2d992a47bdaa3bb591965f461
-
Filesize
2.4MB
MD579754768767380ef36ef446c6a1709e4
SHA12af83a6e20d7efc3119d312534b3f3968d17776e
SHA256cd6bb6fdf80bec69630a61707383e6430463751463635f35fce42eb97daa7060
SHA5126f88e9e5f5309ff1e87666a8066333660db37f85031db6dbfb28460700a31d303e140f8dd5fe0e71f2de01706ac7e1317b8a6fd2d992a47bdaa3bb591965f461
-
Filesize
2.4MB
MD579754768767380ef36ef446c6a1709e4
SHA12af83a6e20d7efc3119d312534b3f3968d17776e
SHA256cd6bb6fdf80bec69630a61707383e6430463751463635f35fce42eb97daa7060
SHA5126f88e9e5f5309ff1e87666a8066333660db37f85031db6dbfb28460700a31d303e140f8dd5fe0e71f2de01706ac7e1317b8a6fd2d992a47bdaa3bb591965f461