Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
41s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11/10/2022, 00:31
Static task
static1
Behavioral task
behavioral1
Sample
94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe
Resource
win10v2004-20220812-en
General
-
Target
94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe
-
Size
1008KB
-
MD5
7b99d6a7a31553cba5b2d41e2e66a180
-
SHA1
8b88927eb171be40e078b71d8b3ec0ce8c0fedf9
-
SHA256
94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70
-
SHA512
5a7b1f7d1d26b982ae54a9d4113a0e813fe94d254ad9fcf686745c00864b732c4e36fa044c6eb6505f150b7dc500e20750f4cfd5dd630f24ddd744e2fd3bce1b
-
SSDEEP
24576:gjmqIdiK3JoSNdM1OMDl9smjyWJw525RGdfzzh1N6j4H5C:gmqPMM17h9F9q25RwPNQy5
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 1564 mscorsvw.exe 460 Process not Found 520 mscorsvw.exe 1240 mscorsvw.exe -
Loads dropped DLL 1 IoCs
pid Process 460 Process not Found -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system32\alg.exe 94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe File created \??\c:\windows\system32\jebjgmag.tmp 94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe File opened for modification \??\c:\windows\SysWOW64\svchost.exe 94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe File created \??\c:\windows\SysWOW64\pjheinjn.tmp 94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe File opened for modification \??\c:\windows\system32\svchost.exe 94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe File opened for modification \??\c:\windows\SysWOW64\alg.exe 94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe -
Drops file in Windows directory 14 IoCs
description ioc Process File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe 94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe 94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe 94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe File created \??\c:\windows\microsoft.net\framework\v2.0.50727\oobhpaeh.tmp 94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created \??\c:\windows\microsoft.net\framework\v4.0.30319\aolbgjnf.tmp 94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe File created \??\c:\windows\microsoft.net\framework64\v4.0.30319\bcepgjhm.tmp 94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File created \??\c:\windows\microsoft.net\framework64\v2.0.50727\hcemoodg.tmp 94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe 94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2044 94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe"C:\Users\Admin\AppData\Local\Temp\94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1564
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:520
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
PID:1240
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
640KB
MD5f1e0de8cd47647293d45f8258a606ce7
SHA10dbba7bb2fc2e632dde4e72c4424163269ef7eca
SHA256a1457d64fa04b1b611b519cfe456af9a6b3e5dc023eaa534b3abf70d653bc410
SHA5121d63ae95a3a394a7efe7f254e95d7362d1376f1036ad9dd420475dda9ca701685a5eceed102d3b252acadeb385c18974e29d0d21e57c0500c941755070ae2f18
-
Filesize
640KB
MD5f1e0de8cd47647293d45f8258a606ce7
SHA10dbba7bb2fc2e632dde4e72c4424163269ef7eca
SHA256a1457d64fa04b1b611b519cfe456af9a6b3e5dc023eaa534b3abf70d653bc410
SHA5121d63ae95a3a394a7efe7f254e95d7362d1376f1036ad9dd420475dda9ca701685a5eceed102d3b252acadeb385c18974e29d0d21e57c0500c941755070ae2f18
-
Filesize
613KB
MD50010594daac948c35fb023ac672d4afa
SHA1ee048a9dc3dc01a43f16cbc9c05ec21ef967bfe4
SHA256711d96cd2bf58e38f02818e474af47ffb8d7e95ecd6e7dd3be688c3c5c18bfa0
SHA51251817161ba3732df6144ea60ca2a73a6cb304134fc68c88eda69e1a4b4eab9578e576065979468fbeef3836ef858b9c4f6a9039515d1411b45af07d1f5c5e7f8
-
Filesize
613KB
MD50010594daac948c35fb023ac672d4afa
SHA1ee048a9dc3dc01a43f16cbc9c05ec21ef967bfe4
SHA256711d96cd2bf58e38f02818e474af47ffb8d7e95ecd6e7dd3be688c3c5c18bfa0
SHA51251817161ba3732df6144ea60ca2a73a6cb304134fc68c88eda69e1a4b4eab9578e576065979468fbeef3836ef858b9c4f6a9039515d1411b45af07d1f5c5e7f8
-
Filesize
644KB
MD524e352086e549b1bc084be3926b6c70f
SHA1c11f1373ef6375ce688fa1703eff0424b75c2465
SHA25640836ae1d517aea2b63327c1f42702a59d7b35b124c7a5911b4fe49f9b1b2c6d
SHA51264f5b8e8c3c8bdf31eaf406fc6ea8f35dabc28191e991f01afa4f5641ea3e64d0d6ff613e7fdaed8a112623460cf8af3615b83f5bb7ba8c3293e46dcf033e786
-
Filesize
640KB
MD5f1e0de8cd47647293d45f8258a606ce7
SHA10dbba7bb2fc2e632dde4e72c4424163269ef7eca
SHA256a1457d64fa04b1b611b519cfe456af9a6b3e5dc023eaa534b3abf70d653bc410
SHA5121d63ae95a3a394a7efe7f254e95d7362d1376f1036ad9dd420475dda9ca701685a5eceed102d3b252acadeb385c18974e29d0d21e57c0500c941755070ae2f18
-
Filesize
640KB
MD5f1e0de8cd47647293d45f8258a606ce7
SHA10dbba7bb2fc2e632dde4e72c4424163269ef7eca
SHA256a1457d64fa04b1b611b519cfe456af9a6b3e5dc023eaa534b3abf70d653bc410
SHA5121d63ae95a3a394a7efe7f254e95d7362d1376f1036ad9dd420475dda9ca701685a5eceed102d3b252acadeb385c18974e29d0d21e57c0500c941755070ae2f18