Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    159s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    21/10/2022, 02:49

General

  • Target

    64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe

  • Size

    30KB

  • MD5

    72fc2816c0706df8b4cf6d6527705400

  • SHA1

    94bc7e140d064d679ddbeafc9fc1b07243fa2731

  • SHA256

    64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389

  • SHA512

    74704dc890cca37dcbf60057a4370c3590131f36117cab92c51ad95e8dec193f6f9bb102584be63b1506c8e5328eb1075f930dd845d2c8a9a88f9b324fadb9d6

  • SSDEEP

    768:bLt9cVrFuxrzrldoAk26gGue3wU+H8ZCD:bJcRyrldpx3Gu2SH8ZCD

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies WinLogon 2 TTPs 7 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 51 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe
    "C:\Users\Admin\AppData\Local\Temp\64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.exe"
    1⤵
    • Loads dropped DLL
    • Modifies WinLogon
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1388
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c start iexplore -embedding
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1472
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1940
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1940 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2028
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c start iexplore -embedding
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1796
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1724
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1724 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1204
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\gos4EBD.bat"
      2⤵
        PID:1164
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c "C:\Users\Admin\AppData\Local\Temp\64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.bat"
        2⤵
        • Deletes itself
        PID:1976

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B22652F1-5135-11ED-B51C-6E705F4A26E5}.dat

      Filesize

      4KB

      MD5

      2356bb86278685be31d2bcfb26c95cdc

      SHA1

      7f46680a22344562676da1e85765b35ea01aa7a1

      SHA256

      d474123d66497b722ee5619e9fd74f5ebeb107e87cb6a539f7f47402d827c004

      SHA512

      859b6326e095a1cc8421171b9e183ef2493eaf9a269e31ba4eba4e9138f934f3b44fa9cc582f638167714a9f7072400334d242063e78b96e823c5bf10f6867e7

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B399A971-5135-11ED-B51C-6E705F4A26E5}.dat

      Filesize

      4KB

      MD5

      59ff8973df178036393b1c3936ce59c5

      SHA1

      9cca5e15cebe3390570ea737bb9276e1d2ea2cfe

      SHA256

      20d3a90e7ca6d99040388dd3f7208fa33f409e752cf5411ed451459c58ef505f

      SHA512

      9cba06924ed780c20e1ce507dbe7dff2827c2ece29de20a1dadc5329bea551b03b2b972c4ed45287adfd73acb7e4481b079881119de42da29bd4d40996bdf07b

    • C:\Users\Admin\AppData\Local\Temp\64735a1cf92f339d71e9753cd89960377a6703eede35d5e5a146435b640ae389.bat

      Filesize

      361B

      MD5

      e20478d2f9706857c8ac68db7e1a4c0a

      SHA1

      ebed4cd0b53eaa1e83a49ed134f3fcbe9b18218b

      SHA256

      67100b03f75bf2d47502543130490c4637fa19539d850978e446ae754c3de4b9

      SHA512

      f8d7bb416098d743d1662fa6a7ce4bc3f6c4d556b10a37ea79661bd98794208ad1d7018d49691e7cdd7daa2d1ccafd42b5f52efa5ffa03182411784c9825028b

    • C:\Users\Admin\AppData\Local\Temp\gos4EBD.bat

      Filesize

      190B

      MD5

      35f7986b5ec15cc80f04805e07ac2946

      SHA1

      168f8dfe6b2a21c808bc6a0a77124fc77434a035

      SHA256

      bb6c513b4c2d2d30cbc426f7af636bb97afabf83a60fe7edd3533e71417ddf67

      SHA512

      ea0fc19e574267c185cdff144818bbe2cb272dfbd3b3a9e9a847ca96f748ef50d6069d9f02427f94a161fc9fb8597b7a6db79bfde462ac3d98ab8c2b00f17868

    • C:\Users\Admin\AppData\Local\Temp\gos4EBD.tmp

      Filesize

      21KB

      MD5

      3ce3efca63544003a973d95a16470d8c

      SHA1

      2a2b1df082f0aabe3f6323a79f480be85866c2a6

      SHA256

      40d20cad46c93366ea0308b90ad225f5ba5120c809bac8a7890be46a8c5ce91f

      SHA512

      2aca4be55db254cbd12dd321e24510be83dd6931d0844e544b410a21f303ce4dcaeece85f7a9ebdfbc1ddb8c6109877345912986bab71f22a2f9a03c832138f2

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\82AQ4FF6.txt

      Filesize

      606B

      MD5

      4c45afa4e9f420a60f8fd1362b5be674

      SHA1

      c24b255b8a7352abe7c66583eaaca673c85c2fd1

      SHA256

      6c46f4ee1ac05bd4d4ba71156860d365e9573207053b065c35ede1a7c04ada83

      SHA512

      03497b4bf3a6569cbfc4b9f661f846ba7b9c32e25556c08b43724d046c35a28db46aeefcb9ad2a1ebc79fe656e3409c0915fb4345512beb784c6a6db662cdf89

    • \Users\Admin\AppData\Local\Temp\gos4EBD.tmp

      Filesize

      21KB

      MD5

      3ce3efca63544003a973d95a16470d8c

      SHA1

      2a2b1df082f0aabe3f6323a79f480be85866c2a6

      SHA256

      40d20cad46c93366ea0308b90ad225f5ba5120c809bac8a7890be46a8c5ce91f

      SHA512

      2aca4be55db254cbd12dd321e24510be83dd6931d0844e544b410a21f303ce4dcaeece85f7a9ebdfbc1ddb8c6109877345912986bab71f22a2f9a03c832138f2

    • memory/1388-58-0x0000000000240000-0x0000000000245000-memory.dmp

      Filesize

      20KB

    • memory/1388-67-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

    • memory/1388-68-0x0000000000020000-0x0000000000025000-memory.dmp

      Filesize

      20KB

    • memory/1388-55-0x0000000000020000-0x0000000000025000-memory.dmp

      Filesize

      20KB

    • memory/1388-57-0x0000000010000000-0x0000000010010000-memory.dmp

      Filesize

      64KB

    • memory/1388-54-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

    • memory/1472-60-0x00000000768A1000-0x00000000768A3000-memory.dmp

      Filesize

      8KB