Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    92s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    20/10/2022, 01:45

General

  • Target

    1443e9a6d8a7ba5e0edbf5ff7e4a8f428ff3dbf21afa471d63a582c7e4794a70.exe

  • Size

    208KB

  • MD5

    4a40e42ac66208fe0a1b9c5f49e74125

  • SHA1

    2bc4dc35ea77048190841e3c963a8ef2fd567501

  • SHA256

    1443e9a6d8a7ba5e0edbf5ff7e4a8f428ff3dbf21afa471d63a582c7e4794a70

  • SHA512

    69e2fadc09470cd19a9b04ee8e8683de768b61d16cbb81db0a9752041fa312e6f64d71f63c89a2269f21b772f941481dcbfdebda5d9d550a0c2e7fb734794282

  • SSDEEP

    6144:9oAsRuQmToYfPeffkxsthVIVO+b/RnmbT4PW9UmE7ldESgvSAOugw4:9ouQmToYfPeffkxsthVIVO+b/9mbkPWI

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 55 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1443e9a6d8a7ba5e0edbf5ff7e4a8f428ff3dbf21afa471d63a582c7e4794a70.exe
    "C:\Users\Admin\AppData\Local\Temp\1443e9a6d8a7ba5e0edbf5ff7e4a8f428ff3dbf21afa471d63a582c7e4794a70.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Users\Admin\wxkaz.exe
      "C:\Users\Admin\wxkaz.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1820

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\wxkaz.exe

    Filesize

    208KB

    MD5

    5b2593b7b69a31346717b87dbdf09b48

    SHA1

    32ada6ba35e05a8bb77565e9006e786a60fdf9be

    SHA256

    7016aaf82418082b556fa6f2095652449357e605324bbe6cbbc34e54344a9462

    SHA512

    cd9b97c7bbe90caa6affb9c839bf5ccf24703cef2dcca922b371408e4fff912b658f9c212765753a27dc2fcc889362d505b9e66c62e7b60192ba579a7f67a6c4

  • C:\Users\Admin\wxkaz.exe

    Filesize

    208KB

    MD5

    5b2593b7b69a31346717b87dbdf09b48

    SHA1

    32ada6ba35e05a8bb77565e9006e786a60fdf9be

    SHA256

    7016aaf82418082b556fa6f2095652449357e605324bbe6cbbc34e54344a9462

    SHA512

    cd9b97c7bbe90caa6affb9c839bf5ccf24703cef2dcca922b371408e4fff912b658f9c212765753a27dc2fcc889362d505b9e66c62e7b60192ba579a7f67a6c4

  • \Users\Admin\wxkaz.exe

    Filesize

    208KB

    MD5

    5b2593b7b69a31346717b87dbdf09b48

    SHA1

    32ada6ba35e05a8bb77565e9006e786a60fdf9be

    SHA256

    7016aaf82418082b556fa6f2095652449357e605324bbe6cbbc34e54344a9462

    SHA512

    cd9b97c7bbe90caa6affb9c839bf5ccf24703cef2dcca922b371408e4fff912b658f9c212765753a27dc2fcc889362d505b9e66c62e7b60192ba579a7f67a6c4

  • \Users\Admin\wxkaz.exe

    Filesize

    208KB

    MD5

    5b2593b7b69a31346717b87dbdf09b48

    SHA1

    32ada6ba35e05a8bb77565e9006e786a60fdf9be

    SHA256

    7016aaf82418082b556fa6f2095652449357e605324bbe6cbbc34e54344a9462

    SHA512

    cd9b97c7bbe90caa6affb9c839bf5ccf24703cef2dcca922b371408e4fff912b658f9c212765753a27dc2fcc889362d505b9e66c62e7b60192ba579a7f67a6c4

  • memory/1664-56-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

    Filesize

    8KB