Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
77s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20/10/2022, 07:15
Static task
static1
Behavioral task
behavioral1
Sample
2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe
Resource
win10v2004-20220812-en
General
-
Target
2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe
-
Size
675KB
-
MD5
8014c7f4da24d190fe1b43cde245b800
-
SHA1
270d2c28ce05e1cdd55ab6af1ff6031f09254a09
-
SHA256
2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c
-
SHA512
96c8568f47887f5f9f154fd74c4371bbc01593a1e848c93b6f24e2513c1f9afbfece8d927e2853e1dfb4a1304d12fea48875a10702a2a15649e7645285e23da3
-
SSDEEP
12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1976 asbizuv.exe 1524 ~DFA6B.tmp 1804 wiqovuv.exe -
Deletes itself 1 IoCs
pid Process 1336 cmd.exe -
Loads dropped DLL 3 IoCs
pid Process 1992 2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe 1976 asbizuv.exe 1524 ~DFA6B.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 1804 wiqovuv.exe 1804 wiqovuv.exe 1804 wiqovuv.exe 1804 wiqovuv.exe 1804 wiqovuv.exe 1804 wiqovuv.exe 1804 wiqovuv.exe 1804 wiqovuv.exe 1804 wiqovuv.exe 1804 wiqovuv.exe 1804 wiqovuv.exe 1804 wiqovuv.exe 1804 wiqovuv.exe 1804 wiqovuv.exe 1804 wiqovuv.exe 1804 wiqovuv.exe 1804 wiqovuv.exe 1804 wiqovuv.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1524 ~DFA6B.tmp -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1992 wrote to memory of 1976 1992 2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe 26 PID 1992 wrote to memory of 1976 1992 2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe 26 PID 1992 wrote to memory of 1976 1992 2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe 26 PID 1992 wrote to memory of 1976 1992 2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe 26 PID 1976 wrote to memory of 1524 1976 asbizuv.exe 27 PID 1976 wrote to memory of 1524 1976 asbizuv.exe 27 PID 1976 wrote to memory of 1524 1976 asbizuv.exe 27 PID 1976 wrote to memory of 1524 1976 asbizuv.exe 27 PID 1992 wrote to memory of 1336 1992 2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe 28 PID 1992 wrote to memory of 1336 1992 2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe 28 PID 1992 wrote to memory of 1336 1992 2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe 28 PID 1992 wrote to memory of 1336 1992 2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe 28 PID 1524 wrote to memory of 1804 1524 ~DFA6B.tmp 30 PID 1524 wrote to memory of 1804 1524 ~DFA6B.tmp 30 PID 1524 wrote to memory of 1804 1524 ~DFA6B.tmp 30 PID 1524 wrote to memory of 1804 1524 ~DFA6B.tmp 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe"C:\Users\Admin\AppData\Local\Temp\2277d5b6eed5c433844d321332f952799e4dbff9a21d15ad6f86e7d3271e2e3c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\asbizuv.exeC:\Users\Admin\AppData\Local\Temp\asbizuv.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\~DFA6B.tmpC:\Users\Admin\AppData\Local\Temp\~DFA6B.tmp OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Users\Admin\AppData\Local\Temp\wiqovuv.exe"C:\Users\Admin\AppData\Local\Temp\wiqovuv.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1804
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "2⤵
- Deletes itself
PID:1336
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
341B
MD5a10cca7a0d216ea139273da9e3a9d226
SHA13d90f81ba09fba6e2f72f4862519d93e043c4677
SHA2568139323409b73f9dd0287cdb367e030fed6b2ee0c44ac0d22653a83d798ac227
SHA512506f03074b857bed4d9f58d41e396e8aa943282dc654c0733b6c0916415e2cb997140dd1fb2144c0283a8179d0aef9ef51d4dbe8397596589d7f71effe002d73
-
Filesize
681KB
MD5b48921b6bcbb425b35e918a2c2341145
SHA1cc6f37b92ac541e8c46ee555443b7ea29aa658e7
SHA256a75e51ecb09b9717b8dcf5d6ca2c489ff51952c45564a5877111a484eddbde62
SHA5127fe96f7b197440ccad4d47fb29171efce269f5809d491ef0b8305592ad089d9bf9f958a8d02ad53c8abd7d1f330e7c32b161200993e787ce42b5def0be654135
-
Filesize
681KB
MD5b48921b6bcbb425b35e918a2c2341145
SHA1cc6f37b92ac541e8c46ee555443b7ea29aa658e7
SHA256a75e51ecb09b9717b8dcf5d6ca2c489ff51952c45564a5877111a484eddbde62
SHA5127fe96f7b197440ccad4d47fb29171efce269f5809d491ef0b8305592ad089d9bf9f958a8d02ad53c8abd7d1f330e7c32b161200993e787ce42b5def0be654135
-
Filesize
104B
MD586bb2dbeaef655893262f3c041f6afe2
SHA11b26ff1241c1353bd506c18bd0c11878076ba65d
SHA2564a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2
SHA51258294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31
-
Filesize
480B
MD5f88f72fe5ddf2b467c239814d715a260
SHA1b5599e7d239d29988ca02d3380cf99b9a49d7cf9
SHA2563f0d4b42a91843676dbe6cae8780f40ed7744ea6cefebeb4f9cf5fd13fa817e9
SHA51246638ad784175ebce63d802fa5e9ff937133e781fdb57c9eb19f9d7182835ba2174de23be49b3807f6dd7d725502d01470cebf7f151496f08d6fbd8430dbdd6f
-
Filesize
419KB
MD52f7c0ccab6a62f4968080097a0f73cda
SHA19ed1dfa781f4c2edd89d72ec00884c44617387a6
SHA2560d0e95716d148c1a377be2b0b0c1d8dd465c672196ac84b1a8813bced018274a
SHA5122d14f6a7d3a71a6c61b6e9ce0181230f2307afada24a2a6b8a9b1928560cad5febc79e70eb75f47ea3df64b4785cc553fc86b09f7be567635239f54ba9a8369d
-
Filesize
688KB
MD5dbe905c060559344a5f81f36a6d6c098
SHA1a925be6f94a7e84009d60c8becd7351e312abb57
SHA256239595f2f04c9cb1d3e87cb31e2df9ee1c5c5d425413b2bbbfb348f111a0d64c
SHA512e7875246466ceeadfabd362e93cda29d33c43df499602967f86476d4444074d5e8132fe135b39f9b7f0437ec3c3634e0c8aaeafcad51e7b84f4e14da255b3638
-
Filesize
681KB
MD5b48921b6bcbb425b35e918a2c2341145
SHA1cc6f37b92ac541e8c46ee555443b7ea29aa658e7
SHA256a75e51ecb09b9717b8dcf5d6ca2c489ff51952c45564a5877111a484eddbde62
SHA5127fe96f7b197440ccad4d47fb29171efce269f5809d491ef0b8305592ad089d9bf9f958a8d02ad53c8abd7d1f330e7c32b161200993e787ce42b5def0be654135
-
Filesize
419KB
MD52f7c0ccab6a62f4968080097a0f73cda
SHA19ed1dfa781f4c2edd89d72ec00884c44617387a6
SHA2560d0e95716d148c1a377be2b0b0c1d8dd465c672196ac84b1a8813bced018274a
SHA5122d14f6a7d3a71a6c61b6e9ce0181230f2307afada24a2a6b8a9b1928560cad5febc79e70eb75f47ea3df64b4785cc553fc86b09f7be567635239f54ba9a8369d
-
Filesize
688KB
MD5dbe905c060559344a5f81f36a6d6c098
SHA1a925be6f94a7e84009d60c8becd7351e312abb57
SHA256239595f2f04c9cb1d3e87cb31e2df9ee1c5c5d425413b2bbbfb348f111a0d64c
SHA512e7875246466ceeadfabd362e93cda29d33c43df499602967f86476d4444074d5e8132fe135b39f9b7f0437ec3c3634e0c8aaeafcad51e7b84f4e14da255b3638