Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    156s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30/10/2022, 02:06

General

  • Target

    6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe

  • Size

    637KB

  • MD5

    a3554f723c2a1340932c53bed5352110

  • SHA1

    b9f184948c9ad804ad6912c32b3a8f146872eb91

  • SHA256

    6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50

  • SHA512

    d7e53bbb8464418198f71252a88177a6fa365ab4edcad3c5e7041c6b2e54f87e2aa686a713e301522fb4ad6718176a8ef3d43d66aa3546a694542c5a87f7a8f7

  • SSDEEP

    12288:2rEbA5SpqJCoh/TZAZuHF9h2yQ12h2uLJT3HDR/2brjUJJK:98TOZ89h2yQ1O2wt2brjUrK

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1408
    • C:\Users\Admin\AppData\Local\Temp\6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe
      "C:\Users\Admin\AppData\Local\Temp\6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Users\Admin\AppData\Roaming\bthuvert\dpnshost.exe
        "C:\Users\Admin\AppData\Roaming\bthuvert\dpnshost.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1896
        • C:\Users\Admin\AppData\Local\Temp\~6105.tmp
          "C:\Users\Admin\AppData\Local\Temp\~6105.tmp"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1088
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\~6D64.tmp.pdf"
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:948
  • C:\Windows\SysWOW64\dialentc.exe
    C:\Windows\SysWOW64\dialentc.exe -k
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    PID:1604

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\~6105.tmp

    Filesize

    6KB

    MD5

    954180776d3d07deb985f612be9ea895

    SHA1

    3db48020919dd35717bf88bd3c164f0652aba20e

    SHA256

    52944b7fdd7d525c95d5fd77e7b79a1900b515223524bd62014ba95062c785d2

    SHA512

    6d9c7fa44c25d276a2dfd3b1acf1f153553fedd840a5b49baa842aa61d44b4a6643bf661f064662c6195ce42e472505e4aad1f6b0f82da4a4af01e80e6bcb3af

  • C:\Users\Admin\AppData\Local\Temp\~6D64.tmp.pdf

    Filesize

    336KB

    MD5

    db089ea9084f8fccc7cfb0a064be7dc6

    SHA1

    9831a0f6c56277563fdbb34ec28fcd6655a0cb9c

    SHA256

    b1fabddbd4781e19f8299e88b18eb3b27285b491db188d31722031e3afe063be

    SHA512

    873d7c6397a34c16dd1a9ba5c0623c838717985ac77c49f88d2209882001305a9bb7930983e2a7d1ce7aaa8b18e6e20a6330040da392c6be3ff4adb99935700b

  • C:\Users\Admin\AppData\Roaming\bthuvert\dpnshost.exe

    Filesize

    172KB

    MD5

    ffd27be93a8c1f9467f0019882922ae7

    SHA1

    edd08d9e5a48f974ff34fb83b83d4aa5eb7b79dd

    SHA256

    0741ad6ea473b4d9f47570cdbea6f8a10ffb299ec3ef717e93892bbc1b48fc41

    SHA512

    9fd870260a69e30c185a74bc8143dc46186160221e5ca747a5d54e01b952784ae344e2c45028e849f7dae0678355487ff9299c8ad3041c1ad103425dbfef4911

  • C:\Users\Admin\AppData\Roaming\bthuvert\dpnshost.exe

    Filesize

    172KB

    MD5

    ffd27be93a8c1f9467f0019882922ae7

    SHA1

    edd08d9e5a48f974ff34fb83b83d4aa5eb7b79dd

    SHA256

    0741ad6ea473b4d9f47570cdbea6f8a10ffb299ec3ef717e93892bbc1b48fc41

    SHA512

    9fd870260a69e30c185a74bc8143dc46186160221e5ca747a5d54e01b952784ae344e2c45028e849f7dae0678355487ff9299c8ad3041c1ad103425dbfef4911

  • C:\Windows\SysWOW64\dialentc.exe

    Filesize

    637KB

    MD5

    a3554f723c2a1340932c53bed5352110

    SHA1

    b9f184948c9ad804ad6912c32b3a8f146872eb91

    SHA256

    6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50

    SHA512

    d7e53bbb8464418198f71252a88177a6fa365ab4edcad3c5e7041c6b2e54f87e2aa686a713e301522fb4ad6718176a8ef3d43d66aa3546a694542c5a87f7a8f7

  • C:\Windows\SysWOW64\dialentc.exe

    Filesize

    637KB

    MD5

    a3554f723c2a1340932c53bed5352110

    SHA1

    b9f184948c9ad804ad6912c32b3a8f146872eb91

    SHA256

    6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50

    SHA512

    d7e53bbb8464418198f71252a88177a6fa365ab4edcad3c5e7041c6b2e54f87e2aa686a713e301522fb4ad6718176a8ef3d43d66aa3546a694542c5a87f7a8f7

  • \Users\Admin\AppData\Local\Temp\~6105.tmp

    Filesize

    6KB

    MD5

    954180776d3d07deb985f612be9ea895

    SHA1

    3db48020919dd35717bf88bd3c164f0652aba20e

    SHA256

    52944b7fdd7d525c95d5fd77e7b79a1900b515223524bd62014ba95062c785d2

    SHA512

    6d9c7fa44c25d276a2dfd3b1acf1f153553fedd840a5b49baa842aa61d44b4a6643bf661f064662c6195ce42e472505e4aad1f6b0f82da4a4af01e80e6bcb3af

  • \Users\Admin\AppData\Roaming\bthuvert\dpnshost.exe

    Filesize

    172KB

    MD5

    ffd27be93a8c1f9467f0019882922ae7

    SHA1

    edd08d9e5a48f974ff34fb83b83d4aa5eb7b79dd

    SHA256

    0741ad6ea473b4d9f47570cdbea6f8a10ffb299ec3ef717e93892bbc1b48fc41

    SHA512

    9fd870260a69e30c185a74bc8143dc46186160221e5ca747a5d54e01b952784ae344e2c45028e849f7dae0678355487ff9299c8ad3041c1ad103425dbfef4911

  • \Users\Admin\AppData\Roaming\bthuvert\dpnshost.exe

    Filesize

    172KB

    MD5

    ffd27be93a8c1f9467f0019882922ae7

    SHA1

    edd08d9e5a48f974ff34fb83b83d4aa5eb7b79dd

    SHA256

    0741ad6ea473b4d9f47570cdbea6f8a10ffb299ec3ef717e93892bbc1b48fc41

    SHA512

    9fd870260a69e30c185a74bc8143dc46186160221e5ca747a5d54e01b952784ae344e2c45028e849f7dae0678355487ff9299c8ad3041c1ad103425dbfef4911

  • memory/1408-65-0x0000000002650000-0x0000000002691000-memory.dmp

    Filesize

    260KB

  • memory/1408-67-0x0000000002650000-0x0000000002691000-memory.dmp

    Filesize

    260KB

  • memory/1604-71-0x0000000000540000-0x00000000005F2000-memory.dmp

    Filesize

    712KB

  • memory/1672-54-0x0000000075841000-0x0000000075843000-memory.dmp

    Filesize

    8KB

  • memory/1672-55-0x0000000000520000-0x00000000005D2000-memory.dmp

    Filesize

    712KB