Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    282s
  • max time network
    261s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/10/2022, 08:28

General

  • Target

    Contract_8556.iso

  • Size

    990KB

  • MD5

    f1404d05a5143952499cd764babcb895

  • SHA1

    673491da8fdbff9708fb077259515c0d788578ae

  • SHA256

    5304522c3f48984337f18133639815cab62f24ef25407c3a097fcecfc4b4ed9f

  • SHA512

    329d21193d45866ab0b3bcdade34245a10645e3c4a0d29c61cd45512ce60b1331294a0e96c44dc20444f8716bdbcba371db8c8453be6fbc73476ead56035ac20

  • SSDEEP

    24576:u6y8bRZAYhI/LoO9bBoY/6wgHzwt6AwQwrwJwJY:u+AYhIjoO9d/6wgHzwt6AwQwrwJwJ

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Contract_8556.iso
    1⤵
    • Enumerates connected drives
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:868
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1056
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 460 -p 4376 -ip 4376
      1⤵
        PID:936
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 4376 -s 2064
        1⤵
        • Program crash
        PID:3344
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c reviewer\ungroomed.cmd vr 32. exe
        1⤵
        • Enumerates connected drives
        • Suspicious use of WriteProcessMemory
        PID:2824
        • C:\Windows\system32\replace.exe
          replace C:\Windows\\system32\\regsvr32.exe C:\Users\Admin\AppData\Local\Temp /A
          2⤵
            PID:3276
          • C:\Windows\system32\regsvr32.exe
            regsvr32.exe reviewer\beastly.dat
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:404
            • C:\Windows\SysWOW64\regsvr32.exe
              reviewer\beastly.dat
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:4684
              • C:\Windows\SysWOW64\wermgr.exe
                C:\Windows\SysWOW64\wermgr.exe
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:4904
        • C:\Program Files\7-Zip\7zG.exe
          "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Contract_8556\" -spe -an -ai#7zMap4460:106:7zEvent22734
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:4708
        • C:\Windows\system32\OpenWith.exe
          C:\Windows\system32\OpenWith.exe -Embedding
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:2060
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Contract_8556\reviewer\ungroomed.cmd"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:3280
          • C:\Windows\system32\replace.exe
            replace C:\Windows\\system32\\regs C:\Users\Admin\AppData\Local\Temp /A
            2⤵
              PID:4912

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\Contract_8556\reviewer\ungroomed.cmd

            Filesize

            354B

            MD5

            6d1154c490214c6ca6a9186cc7a7a04e

            SHA1

            697909602a5f9a0f9bf6098806a9411d8d84de71

            SHA256

            67799a42b9d4dd9cbdab2bfb34b91aab636922f84b24b8a6374b8ad20fb10c19

            SHA512

            184966728fbaee9d8591f6fe8516af8b9fe99183442115a533ce6f5c1477cb3817da799c7da10bbb3212fd07fcc6ea75698fea0776fb5bf75043e212d87a8564

          • memory/4684-135-0x00000000030B0000-0x00000000030D9000-memory.dmp

            Filesize

            164KB

          • memory/4684-136-0x0000000003050000-0x000000000307A000-memory.dmp

            Filesize

            168KB

          • memory/4684-137-0x00000000030B0000-0x00000000030D9000-memory.dmp

            Filesize

            164KB

          • memory/4684-139-0x00000000030B0000-0x00000000030D9000-memory.dmp

            Filesize

            164KB

          • memory/4904-140-0x0000000000A40000-0x0000000000A69000-memory.dmp

            Filesize

            164KB

          • memory/4904-141-0x0000000000A40000-0x0000000000A69000-memory.dmp

            Filesize

            164KB