Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
20/10/2022, 08:03
Static task
static1
Behavioral task
behavioral1
Sample
d283fe80b943bc85fb9891878e7ad68518f19bba094a152545e80d5100dd7a3d.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
d283fe80b943bc85fb9891878e7ad68518f19bba094a152545e80d5100dd7a3d.exe
Resource
win10v2004-20220901-en
General
-
Target
d283fe80b943bc85fb9891878e7ad68518f19bba094a152545e80d5100dd7a3d.exe
-
Size
208KB
-
MD5
44e6c1dc066a435827334a86b5e7c510
-
SHA1
d8e77c35ad3a6d29acf3bc80d16f726d0ca86805
-
SHA256
d283fe80b943bc85fb9891878e7ad68518f19bba094a152545e80d5100dd7a3d
-
SHA512
d8ef8cf0e935e0a4b73f6b1882a7238b4401974ab19126674de01956ede1832a5df7a86a032befa553a2a8878a269564dcd4d10d1c937b4ee29cc9759b82dd4b
-
SSDEEP
768:RPf7NTc7cJldamwwTA1n7//9ezT7lsPvL76gjK4ZogFA:9TJlcHnr4ePf6gjK4P
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 972 microsft.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 320 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\72319aa961570a0617ca539066f2af77.exe microsft.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\72319aa961570a0617ca539066f2af77.exe microsft.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\72319aa961570a0617ca539066f2af77 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\microsft.exe\" .." microsft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\72319aa961570a0617ca539066f2af77 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\microsft.exe\" .." microsft.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\3.exe" d283fe80b943bc85fb9891878e7ad68518f19bba094a152545e80d5100dd7a3d.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\3.exe" microsft.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 972 microsft.exe 972 microsft.exe 972 microsft.exe 972 microsft.exe 972 microsft.exe 972 microsft.exe 972 microsft.exe 972 microsft.exe 972 microsft.exe 972 microsft.exe 972 microsft.exe 972 microsft.exe 972 microsft.exe 972 microsft.exe 972 microsft.exe 972 microsft.exe 972 microsft.exe 972 microsft.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 972 microsft.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2032 wrote to memory of 972 2032 d283fe80b943bc85fb9891878e7ad68518f19bba094a152545e80d5100dd7a3d.exe 26 PID 2032 wrote to memory of 972 2032 d283fe80b943bc85fb9891878e7ad68518f19bba094a152545e80d5100dd7a3d.exe 26 PID 2032 wrote to memory of 972 2032 d283fe80b943bc85fb9891878e7ad68518f19bba094a152545e80d5100dd7a3d.exe 26 PID 972 wrote to memory of 320 972 microsft.exe 27 PID 972 wrote to memory of 320 972 microsft.exe 27 PID 972 wrote to memory of 320 972 microsft.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\d283fe80b943bc85fb9891878e7ad68518f19bba094a152545e80d5100dd7a3d.exe"C:\Users\Admin\AppData\Local\Temp\d283fe80b943bc85fb9891878e7ad68518f19bba094a152545e80d5100dd7a3d.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\microsft.exe"C:\Users\Admin\AppData\Local\Temp\microsft.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\microsft.exe" "microsft.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:320
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208KB
MD544e6c1dc066a435827334a86b5e7c510
SHA1d8e77c35ad3a6d29acf3bc80d16f726d0ca86805
SHA256d283fe80b943bc85fb9891878e7ad68518f19bba094a152545e80d5100dd7a3d
SHA512d8ef8cf0e935e0a4b73f6b1882a7238b4401974ab19126674de01956ede1832a5df7a86a032befa553a2a8878a269564dcd4d10d1c937b4ee29cc9759b82dd4b
-
Filesize
208KB
MD544e6c1dc066a435827334a86b5e7c510
SHA1d8e77c35ad3a6d29acf3bc80d16f726d0ca86805
SHA256d283fe80b943bc85fb9891878e7ad68518f19bba094a152545e80d5100dd7a3d
SHA512d8ef8cf0e935e0a4b73f6b1882a7238b4401974ab19126674de01956ede1832a5df7a86a032befa553a2a8878a269564dcd4d10d1c937b4ee29cc9759b82dd4b