Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19/10/2022, 13:08
Static task
static1
Behavioral task
behavioral1
Sample
f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe
Resource
win10v2004-20220812-en
General
-
Target
f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe
-
Size
298KB
-
MD5
a1ba185fe310d9ac9f51abbd3319f9c0
-
SHA1
dea8ca3e7ac3a201fcc4702e6ba8b68aefd086a1
-
SHA256
f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44
-
SHA512
7a714be032389fce593c842ce126cdc104a367c4299d95e0c652faf3c3d04b7e8858db033b4bae1324193288fb662a583f43a7abce4a986c7b9c97837894bdb0
-
SSDEEP
6144:tn6XzoCb5sry2SzUznompQjcRETHSBON8:t2sm2SAM1zzSBON8
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1220 gtqadjqbe.exe 1576 gtqadjqbe.exe -
Sets file execution options in registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gtqadjqbe.exe f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gtqadjqbe.exe\DisableExceptionChainValidation f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe -
Loads dropped DLL 2 IoCs
pid Process 2032 f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe 2032 f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaDebugger = "C:\\ProgramData\\JavaDebugger0\\gtqadjqbe.exe" f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaDebugger = "C:\\ProgramData\\JavaDebugger0\\gtqadjqbe.exe" f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe -
Checks for any installed AV software in registry 1 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira gtqadjqbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus gtqadjqbe.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2016 set thread context of 2032 2016 f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe 27 PID 1220 set thread context of 1576 1220 gtqadjqbe.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 gtqadjqbe.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 gtqadjqbe.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 gtqadjqbe.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1720 schtasks.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID\{B52F85B7-14F0-9944-80AB-F932BE87A6A2} f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID\{B52F85B7-14F0-9944-80AB-F932BE87A6A2}\091E01D2 f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID\{B52F85B7-14F0-9944-80AB-F932BE87A6A2}\091E01D2\CG1\HAL = 05ee0000 f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID\{B52F85B7-14F0-9944-80AB-F932BE87A6A2}\091E01D2\CG1\BID = 2000080013000a00e60700001400000013000f00240026000000000086195063 f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID\{B52F85B7-14F0-9944-80AB-F932BE87A6A2}\091E01D2\CG1 f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1576 gtqadjqbe.exe 1576 gtqadjqbe.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2032 f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2016 f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe 1220 gtqadjqbe.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2016 wrote to memory of 2032 2016 f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe 27 PID 2016 wrote to memory of 2032 2016 f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe 27 PID 2016 wrote to memory of 2032 2016 f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe 27 PID 2016 wrote to memory of 2032 2016 f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe 27 PID 2016 wrote to memory of 2032 2016 f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe 27 PID 2016 wrote to memory of 2032 2016 f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe 27 PID 2016 wrote to memory of 2032 2016 f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe 27 PID 2016 wrote to memory of 2032 2016 f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe 27 PID 2016 wrote to memory of 2032 2016 f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe 27 PID 2016 wrote to memory of 2032 2016 f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe 27 PID 2016 wrote to memory of 2032 2016 f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe 27 PID 2032 wrote to memory of 1720 2032 f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe 28 PID 2032 wrote to memory of 1720 2032 f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe 28 PID 2032 wrote to memory of 1720 2032 f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe 28 PID 2032 wrote to memory of 1720 2032 f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe 28 PID 2032 wrote to memory of 1220 2032 f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe 30 PID 2032 wrote to memory of 1220 2032 f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe 30 PID 2032 wrote to memory of 1220 2032 f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe 30 PID 2032 wrote to memory of 1220 2032 f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe 30 PID 1220 wrote to memory of 1576 1220 gtqadjqbe.exe 31 PID 1220 wrote to memory of 1576 1220 gtqadjqbe.exe 31 PID 1220 wrote to memory of 1576 1220 gtqadjqbe.exe 31 PID 1220 wrote to memory of 1576 1220 gtqadjqbe.exe 31 PID 1220 wrote to memory of 1576 1220 gtqadjqbe.exe 31 PID 1220 wrote to memory of 1576 1220 gtqadjqbe.exe 31 PID 1220 wrote to memory of 1576 1220 gtqadjqbe.exe 31 PID 1220 wrote to memory of 1576 1220 gtqadjqbe.exe 31 PID 1220 wrote to memory of 1576 1220 gtqadjqbe.exe 31 PID 1220 wrote to memory of 1576 1220 gtqadjqbe.exe 31 PID 1220 wrote to memory of 1576 1220 gtqadjqbe.exe 31 PID 1576 wrote to memory of 1548 1576 gtqadjqbe.exe 32 PID 1576 wrote to memory of 1548 1576 gtqadjqbe.exe 32 PID 1576 wrote to memory of 1548 1576 gtqadjqbe.exe 32 PID 1576 wrote to memory of 1548 1576 gtqadjqbe.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe"C:\Users\Admin\AppData\Local\Temp\f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe"C:\Users\Admin\AppData\Local\Temp\f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44.exe"2⤵
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC ONLOGON /TN "Windows Update Check - 0x091E01D2" /TR "C:\ProgramData\JavaDebugger0\gtqadjqbe.exe /task" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1720
-
-
C:\ProgramData\JavaDebugger0\gtqadjqbe.exe/ins3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\ProgramData\JavaDebugger0\gtqadjqbe.exe"C:\ProgramData\JavaDebugger0\gtqadjqbe.exe"4⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\WerFault.exe"C:\Windows\SysWOW64\WerFault.exe"5⤵PID:1548
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
298KB
MD5a1ba185fe310d9ac9f51abbd3319f9c0
SHA1dea8ca3e7ac3a201fcc4702e6ba8b68aefd086a1
SHA256f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44
SHA5127a714be032389fce593c842ce126cdc104a367c4299d95e0c652faf3c3d04b7e8858db033b4bae1324193288fb662a583f43a7abce4a986c7b9c97837894bdb0
-
Filesize
298KB
MD5a1ba185fe310d9ac9f51abbd3319f9c0
SHA1dea8ca3e7ac3a201fcc4702e6ba8b68aefd086a1
SHA256f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44
SHA5127a714be032389fce593c842ce126cdc104a367c4299d95e0c652faf3c3d04b7e8858db033b4bae1324193288fb662a583f43a7abce4a986c7b9c97837894bdb0
-
Filesize
298KB
MD5a1ba185fe310d9ac9f51abbd3319f9c0
SHA1dea8ca3e7ac3a201fcc4702e6ba8b68aefd086a1
SHA256f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44
SHA5127a714be032389fce593c842ce126cdc104a367c4299d95e0c652faf3c3d04b7e8858db033b4bae1324193288fb662a583f43a7abce4a986c7b9c97837894bdb0
-
Filesize
298KB
MD5a1ba185fe310d9ac9f51abbd3319f9c0
SHA1dea8ca3e7ac3a201fcc4702e6ba8b68aefd086a1
SHA256f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44
SHA5127a714be032389fce593c842ce126cdc104a367c4299d95e0c652faf3c3d04b7e8858db033b4bae1324193288fb662a583f43a7abce4a986c7b9c97837894bdb0
-
Filesize
298KB
MD5a1ba185fe310d9ac9f51abbd3319f9c0
SHA1dea8ca3e7ac3a201fcc4702e6ba8b68aefd086a1
SHA256f8aa76b12547939ab3ad2b1be17a97c6527e9837a0e46865262f1ba2d2078f44
SHA5127a714be032389fce593c842ce126cdc104a367c4299d95e0c652faf3c3d04b7e8858db033b4bae1324193288fb662a583f43a7abce4a986c7b9c97837894bdb0