Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
72s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
11/10/2022, 17:20
Static task
static1
Behavioral task
behavioral1
Sample
ff8bbb7ac6f668befbb9b91ef9e3b5b792a1459436423a12996771df2982b630.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
ff8bbb7ac6f668befbb9b91ef9e3b5b792a1459436423a12996771df2982b630.exe
Resource
win10v2004-20220812-en
General
-
Target
ff8bbb7ac6f668befbb9b91ef9e3b5b792a1459436423a12996771df2982b630.exe
-
Size
863KB
-
MD5
2aefe26eba53a75ca3b663545549f020
-
SHA1
9be4c98aaaf9669138a98fbd1008c82d35dbefb9
-
SHA256
ff8bbb7ac6f668befbb9b91ef9e3b5b792a1459436423a12996771df2982b630
-
SHA512
e6c82853bf943325ba49e767058750c5e5164ea38623d917f2fa46853df3425df3dc2dd96fb225349b87203855491361f5611c533f316117244900cd3fa85bd1
-
SSDEEP
12288:ti7TnKAB6uTsseXay+oD02kJvIqYXQ/byNZj6CGtp4juSl0I1whVIMHclz0/3Cgb:4xo2eKIFUIlXQ/sZ+alN1qd8B0/31
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1860 indefender.exe -
Loads dropped DLL 2 IoCs
pid Process 852 ff8bbb7ac6f668befbb9b91ef9e3b5b792a1459436423a12996771df2982b630.exe 852 ff8bbb7ac6f668befbb9b91ef9e3b5b792a1459436423a12996771df2982b630.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run indefender.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Internet Security = "C:\\ProgramData\\indefender.exe" indefender.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: indefender.exe File opened (read-only) \??\R: indefender.exe File opened (read-only) \??\S: indefender.exe File opened (read-only) \??\I: indefender.exe File opened (read-only) \??\M: indefender.exe File opened (read-only) \??\Y: indefender.exe File opened (read-only) \??\Q: indefender.exe File opened (read-only) \??\W: indefender.exe File opened (read-only) \??\K: indefender.exe File opened (read-only) \??\P: indefender.exe File opened (read-only) \??\T: indefender.exe File opened (read-only) \??\U: indefender.exe File opened (read-only) \??\V: indefender.exe File opened (read-only) \??\G: indefender.exe File opened (read-only) \??\J: indefender.exe File opened (read-only) \??\H: indefender.exe File opened (read-only) \??\L: indefender.exe File opened (read-only) \??\O: indefender.exe File opened (read-only) \??\X: indefender.exe File opened (read-only) \??\Z: indefender.exe File opened (read-only) \??\E: indefender.exe File opened (read-only) \??\F: indefender.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 indefender.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 852 ff8bbb7ac6f668befbb9b91ef9e3b5b792a1459436423a12996771df2982b630.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 852 ff8bbb7ac6f668befbb9b91ef9e3b5b792a1459436423a12996771df2982b630.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe 1860 indefender.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1860 indefender.exe 1860 indefender.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 852 wrote to memory of 1860 852 ff8bbb7ac6f668befbb9b91ef9e3b5b792a1459436423a12996771df2982b630.exe 27 PID 852 wrote to memory of 1860 852 ff8bbb7ac6f668befbb9b91ef9e3b5b792a1459436423a12996771df2982b630.exe 27 PID 852 wrote to memory of 1860 852 ff8bbb7ac6f668befbb9b91ef9e3b5b792a1459436423a12996771df2982b630.exe 27 PID 852 wrote to memory of 1860 852 ff8bbb7ac6f668befbb9b91ef9e3b5b792a1459436423a12996771df2982b630.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff8bbb7ac6f668befbb9b91ef9e3b5b792a1459436423a12996771df2982b630.exe"C:\Users\Admin\AppData\Local\Temp\ff8bbb7ac6f668befbb9b91ef9e3b5b792a1459436423a12996771df2982b630.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:852 -
C:\ProgramData\indefender.exeC:\ProgramData\indefender.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1860
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
836KB
MD506da0c5c19a0b3f33321abec211b642a
SHA11d3bfecbd67d35a47b4f56d264bd481ff8f7f3e9
SHA256b93712a07bf740e87d869772097d673b122d648df6cc123855206df39c3662f1
SHA512dd55dd124ae483f3bf64fc4eca5d13f17330c5d4002188613ea4c6db4327c9d779cc4f1259ff048494d4f53d0030dd7cfdcd268f515b9addd6b5c8e1e5fa8071
-
Filesize
836KB
MD506da0c5c19a0b3f33321abec211b642a
SHA11d3bfecbd67d35a47b4f56d264bd481ff8f7f3e9
SHA256b93712a07bf740e87d869772097d673b122d648df6cc123855206df39c3662f1
SHA512dd55dd124ae483f3bf64fc4eca5d13f17330c5d4002188613ea4c6db4327c9d779cc4f1259ff048494d4f53d0030dd7cfdcd268f515b9addd6b5c8e1e5fa8071
-
Filesize
836KB
MD506da0c5c19a0b3f33321abec211b642a
SHA11d3bfecbd67d35a47b4f56d264bd481ff8f7f3e9
SHA256b93712a07bf740e87d869772097d673b122d648df6cc123855206df39c3662f1
SHA512dd55dd124ae483f3bf64fc4eca5d13f17330c5d4002188613ea4c6db4327c9d779cc4f1259ff048494d4f53d0030dd7cfdcd268f515b9addd6b5c8e1e5fa8071