Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
70s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29/10/2022, 20:43
Static task
static1
Behavioral task
behavioral1
Sample
293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe
Resource
win10v2004-20220901-en
General
-
Target
293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe
-
Size
629KB
-
MD5
5a30808ccc39d0b175aa926a68aa5150
-
SHA1
7ea82e73a32bbb478c235fe3a637daf941883a6c
-
SHA256
293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35
-
SHA512
0d51c2cadbf386a49f1cc6d66d49cd7056b51b741fcd553589119b7c75629323123d389ab7e2f469185fd1a3700119d8d94fe526eafaaad0ac60c670944a255c
-
SSDEEP
12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1964 xykutua.exe 1572 ~DFA4D.tmp 692 kuwija.exe -
Deletes itself 1 IoCs
pid Process 1668 cmd.exe -
Loads dropped DLL 3 IoCs
pid Process 1644 293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe 1964 xykutua.exe 1572 ~DFA4D.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 692 kuwija.exe 692 kuwija.exe 692 kuwija.exe 692 kuwija.exe 692 kuwija.exe 692 kuwija.exe 692 kuwija.exe 692 kuwija.exe 692 kuwija.exe 692 kuwija.exe 692 kuwija.exe 692 kuwija.exe 692 kuwija.exe 692 kuwija.exe 692 kuwija.exe 692 kuwija.exe 692 kuwija.exe 692 kuwija.exe 692 kuwija.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1572 ~DFA4D.tmp -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1644 wrote to memory of 1964 1644 293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe 28 PID 1644 wrote to memory of 1964 1644 293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe 28 PID 1644 wrote to memory of 1964 1644 293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe 28 PID 1644 wrote to memory of 1964 1644 293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe 28 PID 1644 wrote to memory of 1668 1644 293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe 29 PID 1644 wrote to memory of 1668 1644 293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe 29 PID 1644 wrote to memory of 1668 1644 293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe 29 PID 1644 wrote to memory of 1668 1644 293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe 29 PID 1964 wrote to memory of 1572 1964 xykutua.exe 31 PID 1964 wrote to memory of 1572 1964 xykutua.exe 31 PID 1964 wrote to memory of 1572 1964 xykutua.exe 31 PID 1964 wrote to memory of 1572 1964 xykutua.exe 31 PID 1572 wrote to memory of 692 1572 ~DFA4D.tmp 32 PID 1572 wrote to memory of 692 1572 ~DFA4D.tmp 32 PID 1572 wrote to memory of 692 1572 ~DFA4D.tmp 32 PID 1572 wrote to memory of 692 1572 ~DFA4D.tmp 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe"C:\Users\Admin\AppData\Local\Temp\293af94a2fd33dd815fb6e7ad72f1489338994c70364a489cd68e592eec86c35.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\xykutua.exeC:\Users\Admin\AppData\Local\Temp\xykutua.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\~DFA4D.tmpC:\Users\Admin\AppData\Local\Temp\~DFA4D.tmp OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\kuwija.exe"C:\Users\Admin\AppData\Local\Temp\kuwija.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:692
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "2⤵
- Deletes itself
PID:1668
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
341B
MD5cb0415465b0696c0ea73c957e6388001
SHA150e15d3a56d1ed904c4cc003395ebf2b038b639f
SHA256c0f5535107b1519a52e18ded33678c7fffa16e421c34385c794cb437afd3b530
SHA5128b9db40d8eaaffbb90f1ca2e02e275041c43267268f095b30d0f9d0f5233ecf83a85a96ad4246dfcc68514f35e682e4810e3e80d0aa5e48e8d7e16a12e175582
-
Filesize
104B
MD586bb2dbeaef655893262f3c041f6afe2
SHA11b26ff1241c1353bd506c18bd0c11878076ba65d
SHA2564a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2
SHA51258294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31
-
Filesize
480B
MD5f69649cabd085e90cab56a82b51f259f
SHA17aaffc62e441c3b5ca3a09679a05c9abe76c6121
SHA25651443f89a2bfe42372b66fd8c5d1428989f1a9e1812d3008cfe9d533be86e871
SHA512d870f570b6cfdb6dab054b92247d868e64ebd67006eb9be13c6b8fea8ade2bb228c8fe84dd50070879e41ede64168c20c7623f0d90d19e9f2601057eec964de9
-
Filesize
413KB
MD55409da4672e740bdef15d096093b7d14
SHA1472c9af11c94b63c248c352c67883f0b98c34615
SHA25689a567f05e6145de010501f26b4319fdcb743ee73fb6c76a25d6e9c5f09c43ab
SHA512e6c19ad2486574a5d6ce4784a7172625f1af643123f0d553e5ac7bf75b39b4f2d498f3d3868e342477547c7d4835a604ee656bacc4fca4d26f82c7955f7fea8b
-
Filesize
636KB
MD599c1e90c65f38591d606f0756c08e3ec
SHA1bf8b0d0eaa063a403e688ac443caaa1373a31fd9
SHA256e4d0262e16fa88c05c7b630662a74adbea68abca3fe6e004fbae7a94901cacc0
SHA51228b0da08554ae5848df35cdf789311a67f95652754c451e914b297183e594287f7b11a75c86ddc8d6ddccf5c04ca96febe547c921e34e8a24a2255f385f1b4be
-
Filesize
636KB
MD599c1e90c65f38591d606f0756c08e3ec
SHA1bf8b0d0eaa063a403e688ac443caaa1373a31fd9
SHA256e4d0262e16fa88c05c7b630662a74adbea68abca3fe6e004fbae7a94901cacc0
SHA51228b0da08554ae5848df35cdf789311a67f95652754c451e914b297183e594287f7b11a75c86ddc8d6ddccf5c04ca96febe547c921e34e8a24a2255f385f1b4be
-
Filesize
644KB
MD50c08e97ca675d55b19bed409a7e56da7
SHA17287fa1c5a5319a3ccfd4401aaeca39c8c5c9947
SHA2566fc89e8c16748b993f5605afd618a8dea96f116f62b4d407016c8397d5bc04e0
SHA512e40dc28719fe1326d6994a4e723a66074e7e3a2f17ad978c85c21a0b1dbb1d8aa1165440727f7a76f47c4449eb22038bc1f3ec5f2014e1954fa5f5b724f6e66f
-
Filesize
413KB
MD55409da4672e740bdef15d096093b7d14
SHA1472c9af11c94b63c248c352c67883f0b98c34615
SHA25689a567f05e6145de010501f26b4319fdcb743ee73fb6c76a25d6e9c5f09c43ab
SHA512e6c19ad2486574a5d6ce4784a7172625f1af643123f0d553e5ac7bf75b39b4f2d498f3d3868e342477547c7d4835a604ee656bacc4fca4d26f82c7955f7fea8b
-
Filesize
636KB
MD599c1e90c65f38591d606f0756c08e3ec
SHA1bf8b0d0eaa063a403e688ac443caaa1373a31fd9
SHA256e4d0262e16fa88c05c7b630662a74adbea68abca3fe6e004fbae7a94901cacc0
SHA51228b0da08554ae5848df35cdf789311a67f95652754c451e914b297183e594287f7b11a75c86ddc8d6ddccf5c04ca96febe547c921e34e8a24a2255f385f1b4be
-
Filesize
644KB
MD50c08e97ca675d55b19bed409a7e56da7
SHA17287fa1c5a5319a3ccfd4401aaeca39c8c5c9947
SHA2566fc89e8c16748b993f5605afd618a8dea96f116f62b4d407016c8397d5bc04e0
SHA512e40dc28719fe1326d6994a4e723a66074e7e3a2f17ad978c85c21a0b1dbb1d8aa1165440727f7a76f47c4449eb22038bc1f3ec5f2014e1954fa5f5b724f6e66f