Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
8Static
static
Contract_8556.iso
windows7-x64
3Contract_8556.iso
windows10-2004-x64
6Contract.lnk
windows7-x64
8Contract.lnk
windows10-2004-x64
8reviewer/beastly.dll
windows7-x64
1reviewer/beastly.dll
windows10-2004-x64
3reviewer/bike.txt
windows7-x64
1reviewer/bike.txt
windows10-2004-x64
1reviewer/r...rs.gif
windows7-x64
1reviewer/r...rs.gif
windows10-2004-x64
1reviewer/u...ed.cmd
windows7-x64
1reviewer/u...ed.cmd
windows10-2004-x64
1Analysis
-
max time kernel
282s -
max time network
261s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2022, 08:28
Static task
static1
Behavioral task
behavioral1
Sample
Contract_8556.iso
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Contract_8556.iso
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
Contract.lnk
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
Contract.lnk
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
reviewer/beastly.dll
Resource
win7-20220901-en
Behavioral task
behavioral6
Sample
reviewer/beastly.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
reviewer/bike.txt
Resource
win7-20220812-en
Behavioral task
behavioral8
Sample
reviewer/bike.txt
Resource
win10v2004-20220901-en
Behavioral task
behavioral9
Sample
reviewer/rehearsers.gif
Resource
win7-20220812-en
Behavioral task
behavioral10
Sample
reviewer/rehearsers.gif
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
reviewer/ungroomed.cmd
Resource
win7-20220812-en
Behavioral task
behavioral12
Sample
reviewer/ungroomed.cmd
Resource
win10v2004-20220901-en
General
-
Target
Contract_8556.iso
-
Size
990KB
-
MD5
f1404d05a5143952499cd764babcb895
-
SHA1
673491da8fdbff9708fb077259515c0d788578ae
-
SHA256
5304522c3f48984337f18133639815cab62f24ef25407c3a097fcecfc4b4ed9f
-
SHA512
329d21193d45866ab0b3bcdade34245a10645e3c4a0d29c61cd45512ce60b1331294a0e96c44dc20444f8716bdbcba371db8c8453be6fbc73476ead56035ac20
-
SSDEEP
24576:u6y8bRZAYhI/LoO9bBoY/6wgHzwt6AwQwrwJwJY:u+AYhIjoO9d/6wgHzwt6AwQwrwJwJ
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: cmd.exe File opened (read-only) \??\E: cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3344 4376 WerFault.exe 92 -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4684 regsvr32.exe 4684 regsvr32.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe 4904 wermgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4684 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeManageVolumePrivilege 868 cmd.exe Token: SeManageVolumePrivilege 868 cmd.exe Token: SeRestorePrivilege 4708 7zG.exe Token: 35 4708 7zG.exe Token: SeSecurityPrivilege 4708 7zG.exe Token: SeSecurityPrivilege 4708 7zG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4708 7zG.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2060 OpenWith.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2824 wrote to memory of 3276 2824 cmd.exe 101 PID 2824 wrote to memory of 3276 2824 cmd.exe 101 PID 2824 wrote to memory of 404 2824 cmd.exe 102 PID 2824 wrote to memory of 404 2824 cmd.exe 102 PID 404 wrote to memory of 4684 404 regsvr32.exe 103 PID 404 wrote to memory of 4684 404 regsvr32.exe 103 PID 404 wrote to memory of 4684 404 regsvr32.exe 103 PID 4684 wrote to memory of 4904 4684 regsvr32.exe 104 PID 4684 wrote to memory of 4904 4684 regsvr32.exe 104 PID 4684 wrote to memory of 4904 4684 regsvr32.exe 104 PID 4684 wrote to memory of 4904 4684 regsvr32.exe 104 PID 4684 wrote to memory of 4904 4684 regsvr32.exe 104 PID 3280 wrote to memory of 4912 3280 cmd.exe 112 PID 3280 wrote to memory of 4912 3280 cmd.exe 112
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Contract_8556.iso1⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:868
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1056
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 460 -p 4376 -ip 43761⤵PID:936
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4376 -s 20641⤵
- Program crash
PID:3344
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reviewer\ungroomed.cmd vr 32. exe1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\system32\replace.exereplace C:\Windows\\system32\\regsvr32.exe C:\Users\Admin\AppData\Local\Temp /A2⤵PID:3276
-
-
C:\Windows\system32\regsvr32.exeregsvr32.exe reviewer\beastly.dat2⤵
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\regsvr32.exereviewer\beastly.dat3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4904
-
-
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Contract_8556\" -spe -an -ai#7zMap4460:106:7zEvent227341⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4708
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2060
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Contract_8556\reviewer\ungroomed.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\system32\replace.exereplace C:\Windows\\system32\\regs C:\Users\Admin\AppData\Local\Temp /A2⤵PID:4912
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
354B
MD56d1154c490214c6ca6a9186cc7a7a04e
SHA1697909602a5f9a0f9bf6098806a9411d8d84de71
SHA25667799a42b9d4dd9cbdab2bfb34b91aab636922f84b24b8a6374b8ad20fb10c19
SHA512184966728fbaee9d8591f6fe8516af8b9fe99183442115a533ce6f5c1477cb3817da799c7da10bbb3212fd07fcc6ea75698fea0776fb5bf75043e212d87a8564