Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
188s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20/10/2022, 16:28
Static task
static1
Behavioral task
behavioral1
Sample
eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
Resource
win10v2004-20220812-en
General
-
Target
eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
-
Size
392KB
-
MD5
51d8233383c4f3da02361ef625c09a42
-
SHA1
aa112dae8bb3233367fa7fa4c0c4fdf2236dc290
-
SHA256
eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e
-
SHA512
b957eb31b2ca46ec87eb1f3f61772c8e6bab921f96a357c94666847da16e4c2e408db7fc19875d827bcdbe601538fd1173842eb10093a439a8565cc353df9e64
-
SSDEEP
12288:Et8vVED3Bk0Mr9Vif7/F1hIIaYHuvAIS26:Et+gvMpVij/F1hV5HuvAIs
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 1972 achsv.exe 1480 COM7.EXE 1720 COM7.EXE 1816 achsv.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PDF FoxitReader.exe COM7.EXE -
Loads dropped DLL 8 IoCs
pid Process 1708 eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe 1708 eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe 1708 eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe 1708 eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe 1972 achsv.exe 1972 achsv.exe 1480 COM7.EXE 1480 COM7.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\COMLOADER = "\\\\.\\C:\\Program Files\\FoxitReader\\bin\\COM7.EXE" reg.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\FoxitReader\bin\COM7.EXE COM7.EXE File created C:\Program Files\FoxitReader\FoxitReader.exe COM7.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 1 IoCs
pid Process 1636 reg.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 1708 eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe 1972 achsv.exe 1480 COM7.EXE 1708 eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe 1720 COM7.EXE 1708 eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe 1708 eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe 1708 eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe 1816 achsv.exe 1708 eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe 1708 eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe 1708 eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe 1708 eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe 1708 eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe 1480 COM7.EXE 1708 eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe 1480 COM7.EXE 1708 eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe 1480 COM7.EXE 1708 eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe 1480 COM7.EXE 1708 eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe 1480 COM7.EXE 1708 eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe 1480 COM7.EXE 1708 eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe 1480 COM7.EXE 1708 eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe 1480 COM7.EXE 1708 eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe 1480 COM7.EXE 1708 eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe 1480 COM7.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1972 achsv.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1708 wrote to memory of 1972 1708 eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe 27 PID 1708 wrote to memory of 1972 1708 eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe 27 PID 1708 wrote to memory of 1972 1708 eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe 27 PID 1708 wrote to memory of 1972 1708 eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe 27 PID 1708 wrote to memory of 1480 1708 eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe 28 PID 1708 wrote to memory of 1480 1708 eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe 28 PID 1708 wrote to memory of 1480 1708 eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe 28 PID 1708 wrote to memory of 1480 1708 eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe 28 PID 1972 wrote to memory of 1720 1972 achsv.exe 29 PID 1972 wrote to memory of 1720 1972 achsv.exe 29 PID 1972 wrote to memory of 1720 1972 achsv.exe 29 PID 1972 wrote to memory of 1720 1972 achsv.exe 29 PID 1480 wrote to memory of 1636 1480 COM7.EXE 30 PID 1480 wrote to memory of 1636 1480 COM7.EXE 30 PID 1480 wrote to memory of 1636 1480 COM7.EXE 30 PID 1480 wrote to memory of 1636 1480 COM7.EXE 30 PID 1480 wrote to memory of 1816 1480 COM7.EXE 32 PID 1480 wrote to memory of 1816 1480 COM7.EXE 32 PID 1480 wrote to memory of 1816 1480 COM7.EXE 32 PID 1480 wrote to memory of 1816 1480 COM7.EXE 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe"C:\Users\Admin\AppData\Local\Temp\eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1720
-
-
-
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v COMLOADER /d "\\.\C:\Program Files\FoxitReader\bin\COM7.EXE"3⤵
- Adds Run key to start application
- Modifies registry key
PID:1636
-
-
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1816
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
392KB
MD5fe2517383c9007bfdfcf0212ef052754
SHA1abeb5b538ec3a98266113429966813dc3779d507
SHA2563a0abbf1fafade96f2b8b820b794f7ae4e164db8007e3916d4dab95413ad9c6b
SHA51292519dd81be85478fbcc13834c75eae5ab026813e2b83a608eff5a787cfe1dda2ccda543333e9b41fafd0472fdcaef6701ff24527b3cf8d4292fda1e1a4b3945
-
Filesize
392KB
MD5fe2517383c9007bfdfcf0212ef052754
SHA1abeb5b538ec3a98266113429966813dc3779d507
SHA2563a0abbf1fafade96f2b8b820b794f7ae4e164db8007e3916d4dab95413ad9c6b
SHA51292519dd81be85478fbcc13834c75eae5ab026813e2b83a608eff5a787cfe1dda2ccda543333e9b41fafd0472fdcaef6701ff24527b3cf8d4292fda1e1a4b3945
-
Filesize
392KB
MD5fe2517383c9007bfdfcf0212ef052754
SHA1abeb5b538ec3a98266113429966813dc3779d507
SHA2563a0abbf1fafade96f2b8b820b794f7ae4e164db8007e3916d4dab95413ad9c6b
SHA51292519dd81be85478fbcc13834c75eae5ab026813e2b83a608eff5a787cfe1dda2ccda543333e9b41fafd0472fdcaef6701ff24527b3cf8d4292fda1e1a4b3945
-
Filesize
392KB
MD537af269fa8f2f0136bb246ff3e0e805e
SHA122cc71b4de092bd19a12e9a677869984e1481070
SHA2565f4cce123877b1434b33972f66ebfb59cbd9972b72d014b6550bf1cd80d18f09
SHA5124456c3ba4bd5859d8731ad1e1d09523f203437a5962222b8496d08845adc04d2c46872bd5156ff44fe733cfcbc41915d15cd533aa5cc87cf3f43c8a7b20d1e1b
-
Filesize
392KB
MD537af269fa8f2f0136bb246ff3e0e805e
SHA122cc71b4de092bd19a12e9a677869984e1481070
SHA2565f4cce123877b1434b33972f66ebfb59cbd9972b72d014b6550bf1cd80d18f09
SHA5124456c3ba4bd5859d8731ad1e1d09523f203437a5962222b8496d08845adc04d2c46872bd5156ff44fe733cfcbc41915d15cd533aa5cc87cf3f43c8a7b20d1e1b
-
Filesize
392KB
MD537af269fa8f2f0136bb246ff3e0e805e
SHA122cc71b4de092bd19a12e9a677869984e1481070
SHA2565f4cce123877b1434b33972f66ebfb59cbd9972b72d014b6550bf1cd80d18f09
SHA5124456c3ba4bd5859d8731ad1e1d09523f203437a5962222b8496d08845adc04d2c46872bd5156ff44fe733cfcbc41915d15cd533aa5cc87cf3f43c8a7b20d1e1b
-
Filesize
392KB
MD5fe2517383c9007bfdfcf0212ef052754
SHA1abeb5b538ec3a98266113429966813dc3779d507
SHA2563a0abbf1fafade96f2b8b820b794f7ae4e164db8007e3916d4dab95413ad9c6b
SHA51292519dd81be85478fbcc13834c75eae5ab026813e2b83a608eff5a787cfe1dda2ccda543333e9b41fafd0472fdcaef6701ff24527b3cf8d4292fda1e1a4b3945
-
Filesize
392KB
MD5fe2517383c9007bfdfcf0212ef052754
SHA1abeb5b538ec3a98266113429966813dc3779d507
SHA2563a0abbf1fafade96f2b8b820b794f7ae4e164db8007e3916d4dab95413ad9c6b
SHA51292519dd81be85478fbcc13834c75eae5ab026813e2b83a608eff5a787cfe1dda2ccda543333e9b41fafd0472fdcaef6701ff24527b3cf8d4292fda1e1a4b3945
-
Filesize
392KB
MD5fe2517383c9007bfdfcf0212ef052754
SHA1abeb5b538ec3a98266113429966813dc3779d507
SHA2563a0abbf1fafade96f2b8b820b794f7ae4e164db8007e3916d4dab95413ad9c6b
SHA51292519dd81be85478fbcc13834c75eae5ab026813e2b83a608eff5a787cfe1dda2ccda543333e9b41fafd0472fdcaef6701ff24527b3cf8d4292fda1e1a4b3945
-
Filesize
392KB
MD5fe2517383c9007bfdfcf0212ef052754
SHA1abeb5b538ec3a98266113429966813dc3779d507
SHA2563a0abbf1fafade96f2b8b820b794f7ae4e164db8007e3916d4dab95413ad9c6b
SHA51292519dd81be85478fbcc13834c75eae5ab026813e2b83a608eff5a787cfe1dda2ccda543333e9b41fafd0472fdcaef6701ff24527b3cf8d4292fda1e1a4b3945
-
Filesize
392KB
MD537af269fa8f2f0136bb246ff3e0e805e
SHA122cc71b4de092bd19a12e9a677869984e1481070
SHA2565f4cce123877b1434b33972f66ebfb59cbd9972b72d014b6550bf1cd80d18f09
SHA5124456c3ba4bd5859d8731ad1e1d09523f203437a5962222b8496d08845adc04d2c46872bd5156ff44fe733cfcbc41915d15cd533aa5cc87cf3f43c8a7b20d1e1b
-
Filesize
392KB
MD537af269fa8f2f0136bb246ff3e0e805e
SHA122cc71b4de092bd19a12e9a677869984e1481070
SHA2565f4cce123877b1434b33972f66ebfb59cbd9972b72d014b6550bf1cd80d18f09
SHA5124456c3ba4bd5859d8731ad1e1d09523f203437a5962222b8496d08845adc04d2c46872bd5156ff44fe733cfcbc41915d15cd533aa5cc87cf3f43c8a7b20d1e1b
-
Filesize
392KB
MD537af269fa8f2f0136bb246ff3e0e805e
SHA122cc71b4de092bd19a12e9a677869984e1481070
SHA2565f4cce123877b1434b33972f66ebfb59cbd9972b72d014b6550bf1cd80d18f09
SHA5124456c3ba4bd5859d8731ad1e1d09523f203437a5962222b8496d08845adc04d2c46872bd5156ff44fe733cfcbc41915d15cd533aa5cc87cf3f43c8a7b20d1e1b
-
Filesize
392KB
MD537af269fa8f2f0136bb246ff3e0e805e
SHA122cc71b4de092bd19a12e9a677869984e1481070
SHA2565f4cce123877b1434b33972f66ebfb59cbd9972b72d014b6550bf1cd80d18f09
SHA5124456c3ba4bd5859d8731ad1e1d09523f203437a5962222b8496d08845adc04d2c46872bd5156ff44fe733cfcbc41915d15cd533aa5cc87cf3f43c8a7b20d1e1b