Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    61s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    28/10/2022, 19:18 UTC

General

  • Target

    24f035a79da88fabb5255846270680362af6e542f1e8722433794f87e0024cfe.exe

  • Size

    86KB

  • MD5

    03e3bea4774d5715ab7be5997a15ed90

  • SHA1

    2dbb06ccf3c21a5a295eb06c5ba387dc1100990b

  • SHA256

    24f035a79da88fabb5255846270680362af6e542f1e8722433794f87e0024cfe

  • SHA512

    53ffc6d1dea48babd66d5779a87914832745f16b4b0ad002891f64088bb89f0842a0e29d39a3a60a22860e03670c22c3cd1dcd102894206f9334e0ace4f54e87

  • SSDEEP

    1536:i/E/8FZmgTJtnSe+L6ZtTqI1Rfkq4JoDpY7CciCEvadVj/:ickDmgTXSBCt71RfkqooDST7

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:476
    • C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      1⤵
        PID:1956
      • \\?\C:\Windows\system32\wbem\WMIADAP.EXE
        wmiadap.exe /F /T /R
        1⤵
          PID:2028
        • C:\Windows\system32\sppsvc.exe
          C:\Windows\system32\sppsvc.exe
          1⤵
            PID:1800
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
            1⤵
              PID:1656
            • C:\Windows\Explorer.EXE
              C:\Windows\Explorer.EXE
              1⤵
                PID:1212
                • C:\Users\Admin\AppData\Local\Temp\24f035a79da88fabb5255846270680362af6e542f1e8722433794f87e0024cfe.exe
                  "C:\Users\Admin\AppData\Local\Temp\24f035a79da88fabb5255846270680362af6e542f1e8722433794f87e0024cfe.exe"
                  2⤵
                  • Checks computer location settings
                  • Enumerates connected drives
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1852
              • C:\Windows\system32\Dwm.exe
                "C:\Windows\system32\Dwm.exe"
                1⤵
                  PID:1176
                • C:\Windows\system32\taskhost.exe
                  "taskhost.exe"
                  1⤵
                    PID:1120
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                    1⤵
                      PID:1060
                    • C:\Windows\System32\spoolsv.exe
                      C:\Windows\System32\spoolsv.exe
                      1⤵
                        PID:340
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k NetworkService
                        1⤵
                          PID:240
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k netsvcs
                          1⤵
                            PID:864
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k LocalService
                            1⤵
                              PID:832
                            • C:\Windows\System32\svchost.exe
                              C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                              1⤵
                                PID:792
                              • C:\Windows\System32\svchost.exe
                                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                                1⤵
                                  PID:740
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k RPCSS
                                  1⤵
                                    PID:652
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k DcomLaunch
                                    1⤵
                                      PID:576
                                    • C:\Windows\system32\lsm.exe
                                      C:\Windows\system32\lsm.exe
                                      1⤵
                                        PID:484
                                      • C:\Windows\system32\services.exe
                                        C:\Windows\system32\services.exe
                                        1⤵
                                          PID:460
                                        • C:\Windows\system32\winlogon.exe
                                          winlogon.exe
                                          1⤵
                                            PID:416
                                          • C:\Windows\system32\csrss.exe
                                            %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                            1⤵
                                              PID:376
                                            • C:\Windows\system32\wininit.exe
                                              wininit.exe
                                              1⤵
                                                PID:368

                                              Network

                                              MITRE ATT&CK Enterprise v6

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • memory/1852-54-0x0000000075521000-0x0000000075523000-memory.dmp

                                                Filesize

                                                8KB

                                              • memory/1852-55-0x0000000001000000-0x0000000001018000-memory.dmp

                                                Filesize

                                                96KB

                                              • memory/1852-56-0x0000000070F91000-0x0000000070F93000-memory.dmp

                                                Filesize

                                                8KB

                                              • memory/1852-57-0x0000000001000000-0x0000000001018000-memory.dmp

                                                Filesize

                                                96KB

                                              We care about your privacy.

                                              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.