Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
124s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20/10/2022, 06:06
Static task
static1
Behavioral task
behavioral1
Sample
66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7.exe
Resource
win10v2004-20220901-en
General
-
Target
66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7.exe
-
Size
48KB
-
MD5
776967505dde899169b6b19bd00ad240
-
SHA1
1fc9e2c0ce9294e268055db4e91962efd85cf575
-
SHA256
66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7
-
SHA512
20f7cf3ff79a60e2c6fc27ba7dde3a86ccb0f297cd2884af1d9eec11636c3bad345f79136ed3eb79788ad117ae354bc170c1d360e1fb3b907f3a18e7a4109a4a
-
SSDEEP
1536:mrPKVrZ8A1zBMx84USXZEIo8/Wfsg3Tt2l:mrPKVZzMKAWfHh2l
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 996 SVCHOST.EXE 2032 MDM.EXE 580 SVCHOST.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SVCHOST = "C:\\Windows\\MDM.EXE" MDM.EXE Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run MDM.EXE -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\AutoRun.inf SVCHOST.EXE File opened for modification C:\AutoRun.inf SVCHOST.EXE -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SVCHOST.INI SVCHOST.EXE File created C:\Windows\MDM.EXE SVCHOST.EXE File opened for modification C:\Windows\MDM.EXE SVCHOST.EXE File opened for modification C:\WINDOWS\SVCHOST.EXE 66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7.exe File created C:\WINDOWS\SVCHOST.EXE 66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1880 wrote to memory of 996 1880 66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7.exe 28 PID 1880 wrote to memory of 996 1880 66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7.exe 28 PID 1880 wrote to memory of 996 1880 66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7.exe 28 PID 1880 wrote to memory of 996 1880 66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7.exe 28 PID 996 wrote to memory of 2032 996 SVCHOST.EXE 29 PID 996 wrote to memory of 2032 996 SVCHOST.EXE 29 PID 996 wrote to memory of 2032 996 SVCHOST.EXE 29 PID 996 wrote to memory of 2032 996 SVCHOST.EXE 29 PID 2032 wrote to memory of 580 2032 MDM.EXE 30 PID 2032 wrote to memory of 580 2032 MDM.EXE 30 PID 2032 wrote to memory of 580 2032 MDM.EXE 30 PID 2032 wrote to memory of 580 2032 MDM.EXE 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7.exe"C:\Users\Admin\AppData\Local\Temp\66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\WINDOWS\SVCHOST.EXE"C:\WINDOWS\SVCHOST.EXE"2⤵
- Executes dropped EXE
- Drops autorun.inf file
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\MDM.EXE"C:\Windows\MDM.EXE"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SVCHOST.EXE"C:\Windows\SVCHOST.EXE"4⤵
- Executes dropped EXE
PID:580
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD5776967505dde899169b6b19bd00ad240
SHA11fc9e2c0ce9294e268055db4e91962efd85cf575
SHA25666e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7
SHA51220f7cf3ff79a60e2c6fc27ba7dde3a86ccb0f297cd2884af1d9eec11636c3bad345f79136ed3eb79788ad117ae354bc170c1d360e1fb3b907f3a18e7a4109a4a
-
Filesize
21KB
MD5150f08b99a4eca5a587cd7aa924eeb90
SHA1587ce4e5eb4e743bd9a2989f8ba90c4811fd3e2a
SHA2560d60759b7c416db3edde6c64ad44c98b98cef36b6264a2322b1def49631b4b35
SHA51208871bb83ffac34b9369f620dccbbcc929c1d8ff982369efc26e4f038032c7182748283ba89c5e4553eddbd1d0a6d98dacca08c4a835cb53388a50085063301c
-
Filesize
48KB
MD5776967505dde899169b6b19bd00ad240
SHA11fc9e2c0ce9294e268055db4e91962efd85cf575
SHA25666e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7
SHA51220f7cf3ff79a60e2c6fc27ba7dde3a86ccb0f297cd2884af1d9eec11636c3bad345f79136ed3eb79788ad117ae354bc170c1d360e1fb3b907f3a18e7a4109a4a
-
Filesize
48KB
MD5776967505dde899169b6b19bd00ad240
SHA11fc9e2c0ce9294e268055db4e91962efd85cf575
SHA25666e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7
SHA51220f7cf3ff79a60e2c6fc27ba7dde3a86ccb0f297cd2884af1d9eec11636c3bad345f79136ed3eb79788ad117ae354bc170c1d360e1fb3b907f3a18e7a4109a4a
-
Filesize
43B
MD52bcd53a42c7b9d761467e7c87d4cd016
SHA14e0f79aadb057b2a1737963c969af4e017209d85
SHA256864bfc9ad94aec3cfe18b552fcbc3cf88212075a0d8955507b18f40354f5d507
SHA51219e5867647bc3966f2cf739a9a81ec3bfe464413af1e8f280b2a3610119a50e6ee5facd07f58e8e687626036a2f25d7b19d90eb522cb9d3127943bb7538533f0