Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

sd.exe

windows7-x64

8

sd.exe

windows10-2004-x64

8

Resubmissions

10/10/2022, 12:26

221010-pl6vysbgc6 8

Analysis

  • max time kernel
    140s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/10/2022, 12:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sd.exe

  • Size

    529KB

  • MD5

    08aaa7f4e2c1278c0e9b06ce4e6c217d

  • SHA1

    2cb4b4fb1ec8305ef03e1802f56be22b12379a0c

  • SHA256

    8834c84cfd7e086f74a2ffa5b14ced2c039d78feda4bad610aba1c6bb4a6ce7f

  • SHA512

    7a40ae329864cddf73acbc6435e7d8e977c44c2a91a71f8aaaf7a52d2d898b5392f0c7b3e4d9d2b34dcd55437c1ab68bd0d40480440eb600c0a606b53e179e03

  • SSDEEP

    6144:yNYl/n0+1JZi7al4y3FMLv2fVvmcMnNtEmdOJ3jsdp5K/GmdNpK5IL03:yNYl/0Val4GVed7RdOZczCK2LC

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sd.exe
    "C:\Users\Admin\AppData\Local\Temp\sd.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4728
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\snapHTM.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:596
      • C:\Windows\system32\mode.com
        mode con: cols=50 lines=15
        3⤵
          PID:4628
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c wmic logicaldisk where "drivetype=3" get name /format:value
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2452
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic logicaldisk where "drivetype=3" get name /format:value
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3752
        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Snap2HTML.exe
          Snap2HTML.exe -path:C:\ -outfile:C:\Windows\SnipeDrives\C.html -silent
          3⤵
          • Executes dropped EXE
          PID:204

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Snap2HTML.exe
      Filesize

      161KB

      MD5

      db9677194f84ed3ec78454a538c73704

      SHA1

      486e6d7166fdc2ec0b0e0f922931b1f92d665739

      SHA256

      fce7db964bef4b37f2f430c6ea99f439e5be06e047f6386222826df133b3a047

      SHA512

      4d494ef85ac86fd6026fcc7c0dd61fc7ca4f036a1fe98bf7416d79aa2dc80bbb4fbbf1d20ada82100c50568f80de8267ef2cfbe0b8f1a3f294b0ba3324b70d50

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Snap2HTML.exe
      Filesize

      161KB

      MD5

      db9677194f84ed3ec78454a538c73704

      SHA1

      486e6d7166fdc2ec0b0e0f922931b1f92d665739

      SHA256

      fce7db964bef4b37f2f430c6ea99f439e5be06e047f6386222826df133b3a047

      SHA512

      4d494ef85ac86fd6026fcc7c0dd61fc7ca4f036a1fe98bf7416d79aa2dc80bbb4fbbf1d20ada82100c50568f80de8267ef2cfbe0b8f1a3f294b0ba3324b70d50

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\snapHTM.bat
      Filesize

      1KB

      MD5

      4d6a4e6d7e3ca01d5960d3c563e5d911

      SHA1

      62a98f4dcb213b59b3ed2edbbcfa5e226e3be8e2

      SHA256

      b699e6e9cbab88965f8fc357e6d98fa0e27bd446148af3664876066fc21a2937

      SHA512

      eced432e8e71d5fa7dc0b03b1104a2de2bc61021a8f53a0cd9a61fced8c525345f6de94d9deef5a46b55b060d17957892ca1a0dedd43b155e285a576a8b4f1b7

      Download Submit

    • memory/204-140-0x0000000000010000-0x000000000003E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/204-141-0x00007FF87DA60000-0x00007FF87E521000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/204-142-0x00007FF87DA60000-0x00007FF87E521000-memory.dmp

      Filesize

      10.8MB

      Download