Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
41s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11/10/2022, 19:07
Static task
static1
Behavioral task
behavioral1
Sample
c1d37d63b2ae9e5a813e29391119b32a5a96010f4de04f736e849515258e0e8b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c1d37d63b2ae9e5a813e29391119b32a5a96010f4de04f736e849515258e0e8b.exe
Resource
win10v2004-20220812-en
General
-
Target
c1d37d63b2ae9e5a813e29391119b32a5a96010f4de04f736e849515258e0e8b.exe
-
Size
105KB
-
MD5
65d9c9a18d96d8c9da65a37b4c2a5572
-
SHA1
42660dc87fd5fa12aa452a4c5cd7fd3fa20628c3
-
SHA256
c1d37d63b2ae9e5a813e29391119b32a5a96010f4de04f736e849515258e0e8b
-
SHA512
0f845a701c29f33a83715ebfb60e5f6b881a9a1bfe00016ac4df667f425baf88ee547cb7a87e212e13490dd07566f4d20432109599cc04c4dc27c0c0b55f6928
-
SSDEEP
3072:pxIWTjOKItEKn/tenU6suHaqwbmrFf5j:pL3FI6+1enU6su6Jbmj
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2020 Flash Player.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 1648 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2595e4cf2fd0c40e069caaf5bbe27c3a.exe Flash Player.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2595e4cf2fd0c40e069caaf5bbe27c3a.exe Flash Player.exe -
Loads dropped DLL 2 IoCs
pid Process 1884 c1d37d63b2ae9e5a813e29391119b32a5a96010f4de04f736e849515258e0e8b.exe 1884 c1d37d63b2ae9e5a813e29391119b32a5a96010f4de04f736e849515258e0e8b.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\2595e4cf2fd0c40e069caaf5bbe27c3a = "\"C:\\Users\\Admin\\AppData\\Roaming\\Flash Player.exe\" .." Flash Player.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\2595e4cf2fd0c40e069caaf5bbe27c3a = "\"C:\\Users\\Admin\\AppData\\Roaming\\Flash Player.exe\" .." Flash Player.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new c1d37d63b2ae9e5a813e29391119b32a5a96010f4de04f736e849515258e0e8b.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new c1d37d63b2ae9e5a813e29391119b32a5a96010f4de04f736e849515258e0e8b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1884 c1d37d63b2ae9e5a813e29391119b32a5a96010f4de04f736e849515258e0e8b.exe 2020 Flash Player.exe 2020 Flash Player.exe 2020 Flash Player.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1884 c1d37d63b2ae9e5a813e29391119b32a5a96010f4de04f736e849515258e0e8b.exe Token: SeDebugPrivilege 2020 Flash Player.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1884 wrote to memory of 2020 1884 c1d37d63b2ae9e5a813e29391119b32a5a96010f4de04f736e849515258e0e8b.exe 28 PID 1884 wrote to memory of 2020 1884 c1d37d63b2ae9e5a813e29391119b32a5a96010f4de04f736e849515258e0e8b.exe 28 PID 1884 wrote to memory of 2020 1884 c1d37d63b2ae9e5a813e29391119b32a5a96010f4de04f736e849515258e0e8b.exe 28 PID 1884 wrote to memory of 2020 1884 c1d37d63b2ae9e5a813e29391119b32a5a96010f4de04f736e849515258e0e8b.exe 28 PID 2020 wrote to memory of 1648 2020 Flash Player.exe 29 PID 2020 wrote to memory of 1648 2020 Flash Player.exe 29 PID 2020 wrote to memory of 1648 2020 Flash Player.exe 29 PID 2020 wrote to memory of 1648 2020 Flash Player.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1d37d63b2ae9e5a813e29391119b32a5a96010f4de04f736e849515258e0e8b.exe"C:\Users\Admin\AppData\Local\Temp\c1d37d63b2ae9e5a813e29391119b32a5a96010f4de04f736e849515258e0e8b.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Users\Admin\AppData\Roaming\Flash Player.exe"C:\Users\Admin\AppData\Roaming\Flash Player.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Flash Player.exe" "Flash Player.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1648
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105KB
MD565d9c9a18d96d8c9da65a37b4c2a5572
SHA142660dc87fd5fa12aa452a4c5cd7fd3fa20628c3
SHA256c1d37d63b2ae9e5a813e29391119b32a5a96010f4de04f736e849515258e0e8b
SHA5120f845a701c29f33a83715ebfb60e5f6b881a9a1bfe00016ac4df667f425baf88ee547cb7a87e212e13490dd07566f4d20432109599cc04c4dc27c0c0b55f6928
-
Filesize
105KB
MD565d9c9a18d96d8c9da65a37b4c2a5572
SHA142660dc87fd5fa12aa452a4c5cd7fd3fa20628c3
SHA256c1d37d63b2ae9e5a813e29391119b32a5a96010f4de04f736e849515258e0e8b
SHA5120f845a701c29f33a83715ebfb60e5f6b881a9a1bfe00016ac4df667f425baf88ee547cb7a87e212e13490dd07566f4d20432109599cc04c4dc27c0c0b55f6928
-
Filesize
105KB
MD565d9c9a18d96d8c9da65a37b4c2a5572
SHA142660dc87fd5fa12aa452a4c5cd7fd3fa20628c3
SHA256c1d37d63b2ae9e5a813e29391119b32a5a96010f4de04f736e849515258e0e8b
SHA5120f845a701c29f33a83715ebfb60e5f6b881a9a1bfe00016ac4df667f425baf88ee547cb7a87e212e13490dd07566f4d20432109599cc04c4dc27c0c0b55f6928
-
Filesize
105KB
MD565d9c9a18d96d8c9da65a37b4c2a5572
SHA142660dc87fd5fa12aa452a4c5cd7fd3fa20628c3
SHA256c1d37d63b2ae9e5a813e29391119b32a5a96010f4de04f736e849515258e0e8b
SHA5120f845a701c29f33a83715ebfb60e5f6b881a9a1bfe00016ac4df667f425baf88ee547cb7a87e212e13490dd07566f4d20432109599cc04c4dc27c0c0b55f6928