Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
43s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
20/10/2022, 15:16
Static task
static1
Behavioral task
behavioral1
Sample
85d63ada869d58c67ca530db9c9df21f9566ae7785fa89da7d4011a5584bb4ea.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
85d63ada869d58c67ca530db9c9df21f9566ae7785fa89da7d4011a5584bb4ea.exe
Resource
win10v2004-20220812-en
General
-
Target
85d63ada869d58c67ca530db9c9df21f9566ae7785fa89da7d4011a5584bb4ea.exe
-
Size
36KB
-
MD5
9016dcef9453112f9d7395be4b838b20
-
SHA1
7ba240da64064a20b56bca3165a7ef42653d107e
-
SHA256
85d63ada869d58c67ca530db9c9df21f9566ae7785fa89da7d4011a5584bb4ea
-
SHA512
22bd3d3b01b4f4023e6fe676969f08ae78f8a4739375f26a6fad4782c247050e90363500fbe0b3b2d5d5e96670c0deeeba5ed1d7ad4da063224aa7bc2e4b96ee
-
SSDEEP
384:L2dQuIXT375RK3l6DNDvnqzemXrJ99/BDmy4todF+HO86CxEh99y93KTe70:L6+hUMDNDvzmXrJ9Jotov+HO0043P
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 516 cmd.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 85d63ada869d58c67ca530db9c9df21f9566ae7785fa89da7d4011a5584bb4ea.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 85d63ada869d58c67ca530db9c9df21f9566ae7785fa89da7d4011a5584bb4ea.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 1936 tasklist.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1936 tasklist.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1760 85d63ada869d58c67ca530db9c9df21f9566ae7785fa89da7d4011a5584bb4ea.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1760 wrote to memory of 516 1760 85d63ada869d58c67ca530db9c9df21f9566ae7785fa89da7d4011a5584bb4ea.exe 28 PID 1760 wrote to memory of 516 1760 85d63ada869d58c67ca530db9c9df21f9566ae7785fa89da7d4011a5584bb4ea.exe 28 PID 1760 wrote to memory of 516 1760 85d63ada869d58c67ca530db9c9df21f9566ae7785fa89da7d4011a5584bb4ea.exe 28 PID 1760 wrote to memory of 516 1760 85d63ada869d58c67ca530db9c9df21f9566ae7785fa89da7d4011a5584bb4ea.exe 28 PID 516 wrote to memory of 1936 516 cmd.exe 30 PID 516 wrote to memory of 1936 516 cmd.exe 30 PID 516 wrote to memory of 1936 516 cmd.exe 30 PID 516 wrote to memory of 1936 516 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\85d63ada869d58c67ca530db9c9df21f9566ae7785fa89da7d4011a5584bb4ea.exe"C:\Users\Admin\AppData\Local\Temp\85d63ada869d58c67ca530db9c9df21f9566ae7785fa89da7d4011a5584bb4ea.exe"1⤵
- Maps connected drives based on registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 85d63ada869d58c67ca530db9c9df21f9566ae7785fa89da7d4011a5584bb4ea.exe2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1936
-
-