Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    41s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2022, 00:31

General

  • Target

    94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe

  • Size

    1008KB

  • MD5

    7b99d6a7a31553cba5b2d41e2e66a180

  • SHA1

    8b88927eb171be40e078b71d8b3ec0ce8c0fedf9

  • SHA256

    94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70

  • SHA512

    5a7b1f7d1d26b982ae54a9d4113a0e813fe94d254ad9fcf686745c00864b732c4e36fa044c6eb6505f150b7dc500e20750f4cfd5dd630f24ddd744e2fd3bce1b

  • SSDEEP

    24576:gjmqIdiK3JoSNdM1OMDl9smjyWJw525RGdfzzh1N6j4H5C:gmqPMM17h9F9q25RwPNQy5

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe
    "C:\Users\Admin\AppData\Local\Temp\94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2044
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    PID:1564
  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    PID:520
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    PID:1240

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

    Filesize

    640KB

    MD5

    f1e0de8cd47647293d45f8258a606ce7

    SHA1

    0dbba7bb2fc2e632dde4e72c4424163269ef7eca

    SHA256

    a1457d64fa04b1b611b519cfe456af9a6b3e5dc023eaa534b3abf70d653bc410

    SHA512

    1d63ae95a3a394a7efe7f254e95d7362d1376f1036ad9dd420475dda9ca701685a5eceed102d3b252acadeb385c18974e29d0d21e57c0500c941755070ae2f18

  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

    Filesize

    640KB

    MD5

    f1e0de8cd47647293d45f8258a606ce7

    SHA1

    0dbba7bb2fc2e632dde4e72c4424163269ef7eca

    SHA256

    a1457d64fa04b1b611b519cfe456af9a6b3e5dc023eaa534b3abf70d653bc410

    SHA512

    1d63ae95a3a394a7efe7f254e95d7362d1376f1036ad9dd420475dda9ca701685a5eceed102d3b252acadeb385c18974e29d0d21e57c0500c941755070ae2f18

  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

    Filesize

    613KB

    MD5

    0010594daac948c35fb023ac672d4afa

    SHA1

    ee048a9dc3dc01a43f16cbc9c05ec21ef967bfe4

    SHA256

    711d96cd2bf58e38f02818e474af47ffb8d7e95ecd6e7dd3be688c3c5c18bfa0

    SHA512

    51817161ba3732df6144ea60ca2a73a6cb304134fc68c88eda69e1a4b4eab9578e576065979468fbeef3836ef858b9c4f6a9039515d1411b45af07d1f5c5e7f8

  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

    Filesize

    613KB

    MD5

    0010594daac948c35fb023ac672d4afa

    SHA1

    ee048a9dc3dc01a43f16cbc9c05ec21ef967bfe4

    SHA256

    711d96cd2bf58e38f02818e474af47ffb8d7e95ecd6e7dd3be688c3c5c18bfa0

    SHA512

    51817161ba3732df6144ea60ca2a73a6cb304134fc68c88eda69e1a4b4eab9578e576065979468fbeef3836ef858b9c4f6a9039515d1411b45af07d1f5c5e7f8

  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

    Filesize

    644KB

    MD5

    24e352086e549b1bc084be3926b6c70f

    SHA1

    c11f1373ef6375ce688fa1703eff0424b75c2465

    SHA256

    40836ae1d517aea2b63327c1f42702a59d7b35b124c7a5911b4fe49f9b1b2c6d

    SHA512

    64f5b8e8c3c8bdf31eaf406fc6ea8f35dabc28191e991f01afa4f5641ea3e64d0d6ff613e7fdaed8a112623460cf8af3615b83f5bb7ba8c3293e46dcf033e786

  • \Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

    Filesize

    640KB

    MD5

    f1e0de8cd47647293d45f8258a606ce7

    SHA1

    0dbba7bb2fc2e632dde4e72c4424163269ef7eca

    SHA256

    a1457d64fa04b1b611b519cfe456af9a6b3e5dc023eaa534b3abf70d653bc410

    SHA512

    1d63ae95a3a394a7efe7f254e95d7362d1376f1036ad9dd420475dda9ca701685a5eceed102d3b252acadeb385c18974e29d0d21e57c0500c941755070ae2f18

  • \Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

    Filesize

    640KB

    MD5

    f1e0de8cd47647293d45f8258a606ce7

    SHA1

    0dbba7bb2fc2e632dde4e72c4424163269ef7eca

    SHA256

    a1457d64fa04b1b611b519cfe456af9a6b3e5dc023eaa534b3abf70d653bc410

    SHA512

    1d63ae95a3a394a7efe7f254e95d7362d1376f1036ad9dd420475dda9ca701685a5eceed102d3b252acadeb385c18974e29d0d21e57c0500c941755070ae2f18

  • memory/520-65-0x0000000010000000-0x000000001028B000-memory.dmp

    Filesize

    2.5MB

  • memory/1240-68-0x0000000000400000-0x0000000000661000-memory.dmp

    Filesize

    2.4MB

  • memory/1564-58-0x0000000010000000-0x0000000010258000-memory.dmp

    Filesize

    2.3MB

  • memory/1564-63-0x0000000010000000-0x0000000010258000-memory.dmp

    Filesize

    2.3MB

  • memory/2044-54-0x0000000075F81000-0x0000000075F83000-memory.dmp

    Filesize

    8KB

  • memory/2044-56-0x0000000000400000-0x00000000006D2000-memory.dmp

    Filesize

    2.8MB

  • memory/2044-66-0x0000000000400000-0x00000000006D2000-memory.dmp

    Filesize

    2.8MB

  • memory/2044-55-0x0000000000400000-0x00000000006D2000-memory.dmp

    Filesize

    2.8MB