Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
156s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30/10/2022, 02:06
Static task
static1
Behavioral task
behavioral1
Sample
6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe
Resource
win10v2004-20220901-en
General
-
Target
6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe
-
Size
637KB
-
MD5
a3554f723c2a1340932c53bed5352110
-
SHA1
b9f184948c9ad804ad6912c32b3a8f146872eb91
-
SHA256
6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50
-
SHA512
d7e53bbb8464418198f71252a88177a6fa365ab4edcad3c5e7041c6b2e54f87e2aa686a713e301522fb4ad6718176a8ef3d43d66aa3546a694542c5a87f7a8f7
-
SSDEEP
12288:2rEbA5SpqJCoh/TZAZuHF9h2yQ12h2uLJT3HDR/2brjUJJK:98TOZ89h2yQ1O2wt2brjUrK
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1896 dpnshost.exe 1088 ~6105.tmp 1604 dialentc.exe -
Loads dropped DLL 3 IoCs
pid Process 1672 6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe 1672 6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe 1896 dpnshost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\labeutou = "C:\\Users\\Admin\\AppData\\Roaming\\bthuvert\\dpnshost.exe" 6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\dialentc.exe 6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1896 dpnshost.exe 1408 Explorer.EXE 1408 Explorer.EXE 1604 dialentc.exe 1408 Explorer.EXE 1604 dialentc.exe 1408 Explorer.EXE 1604 dialentc.exe 1408 Explorer.EXE 1604 dialentc.exe 1408 Explorer.EXE 1604 dialentc.exe 1408 Explorer.EXE 1604 dialentc.exe 1408 Explorer.EXE 1604 dialentc.exe 1408 Explorer.EXE 1604 dialentc.exe 1408 Explorer.EXE 1604 dialentc.exe 1408 Explorer.EXE 1604 dialentc.exe 1408 Explorer.EXE 1604 dialentc.exe 1408 Explorer.EXE 1604 dialentc.exe 1408 Explorer.EXE 1604 dialentc.exe 1408 Explorer.EXE 1604 dialentc.exe 1408 Explorer.EXE 1604 dialentc.exe 1408 Explorer.EXE 1604 dialentc.exe 1408 Explorer.EXE 1604 dialentc.exe 1408 Explorer.EXE 1604 dialentc.exe 1408 Explorer.EXE 1604 dialentc.exe 1408 Explorer.EXE 1604 dialentc.exe 1408 Explorer.EXE 1604 dialentc.exe 1408 Explorer.EXE 1604 dialentc.exe 1408 Explorer.EXE 1604 dialentc.exe 1408 Explorer.EXE 1604 dialentc.exe 1408 Explorer.EXE 1604 dialentc.exe 1408 Explorer.EXE 1604 dialentc.exe 1408 Explorer.EXE 1604 dialentc.exe 1408 Explorer.EXE 1604 dialentc.exe 1408 Explorer.EXE 1604 dialentc.exe 1408 Explorer.EXE 1604 dialentc.exe 1408 Explorer.EXE 1604 dialentc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 1408 Explorer.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 948 AcroRd32.exe 948 AcroRd32.exe 948 AcroRd32.exe 948 AcroRd32.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1672 wrote to memory of 1896 1672 6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe 27 PID 1672 wrote to memory of 1896 1672 6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe 27 PID 1672 wrote to memory of 1896 1672 6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe 27 PID 1672 wrote to memory of 1896 1672 6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe 27 PID 1896 wrote to memory of 1088 1896 dpnshost.exe 28 PID 1896 wrote to memory of 1088 1896 dpnshost.exe 28 PID 1896 wrote to memory of 1088 1896 dpnshost.exe 28 PID 1896 wrote to memory of 1088 1896 dpnshost.exe 28 PID 1088 wrote to memory of 1408 1088 ~6105.tmp 14 PID 1672 wrote to memory of 948 1672 6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe 30 PID 1672 wrote to memory of 948 1672 6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe 30 PID 1672 wrote to memory of 948 1672 6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe 30 PID 1672 wrote to memory of 948 1672 6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe 30
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408 -
C:\Users\Admin\AppData\Local\Temp\6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe"C:\Users\Admin\AppData\Local\Temp\6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Roaming\bthuvert\dpnshost.exe"C:\Users\Admin\AppData\Roaming\bthuvert\dpnshost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Users\Admin\AppData\Local\Temp\~6105.tmp"C:\Users\Admin\AppData\Local\Temp\~6105.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1088
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\~6D64.tmp.pdf"3⤵
- Suspicious use of SetWindowsHookEx
PID:948
-
-
-
C:\Windows\SysWOW64\dialentc.exeC:\Windows\SysWOW64\dialentc.exe -k1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1604
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5954180776d3d07deb985f612be9ea895
SHA13db48020919dd35717bf88bd3c164f0652aba20e
SHA25652944b7fdd7d525c95d5fd77e7b79a1900b515223524bd62014ba95062c785d2
SHA5126d9c7fa44c25d276a2dfd3b1acf1f153553fedd840a5b49baa842aa61d44b4a6643bf661f064662c6195ce42e472505e4aad1f6b0f82da4a4af01e80e6bcb3af
-
Filesize
336KB
MD5db089ea9084f8fccc7cfb0a064be7dc6
SHA19831a0f6c56277563fdbb34ec28fcd6655a0cb9c
SHA256b1fabddbd4781e19f8299e88b18eb3b27285b491db188d31722031e3afe063be
SHA512873d7c6397a34c16dd1a9ba5c0623c838717985ac77c49f88d2209882001305a9bb7930983e2a7d1ce7aaa8b18e6e20a6330040da392c6be3ff4adb99935700b
-
Filesize
172KB
MD5ffd27be93a8c1f9467f0019882922ae7
SHA1edd08d9e5a48f974ff34fb83b83d4aa5eb7b79dd
SHA2560741ad6ea473b4d9f47570cdbea6f8a10ffb299ec3ef717e93892bbc1b48fc41
SHA5129fd870260a69e30c185a74bc8143dc46186160221e5ca747a5d54e01b952784ae344e2c45028e849f7dae0678355487ff9299c8ad3041c1ad103425dbfef4911
-
Filesize
172KB
MD5ffd27be93a8c1f9467f0019882922ae7
SHA1edd08d9e5a48f974ff34fb83b83d4aa5eb7b79dd
SHA2560741ad6ea473b4d9f47570cdbea6f8a10ffb299ec3ef717e93892bbc1b48fc41
SHA5129fd870260a69e30c185a74bc8143dc46186160221e5ca747a5d54e01b952784ae344e2c45028e849f7dae0678355487ff9299c8ad3041c1ad103425dbfef4911
-
Filesize
637KB
MD5a3554f723c2a1340932c53bed5352110
SHA1b9f184948c9ad804ad6912c32b3a8f146872eb91
SHA2566da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50
SHA512d7e53bbb8464418198f71252a88177a6fa365ab4edcad3c5e7041c6b2e54f87e2aa686a713e301522fb4ad6718176a8ef3d43d66aa3546a694542c5a87f7a8f7
-
Filesize
637KB
MD5a3554f723c2a1340932c53bed5352110
SHA1b9f184948c9ad804ad6912c32b3a8f146872eb91
SHA2566da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50
SHA512d7e53bbb8464418198f71252a88177a6fa365ab4edcad3c5e7041c6b2e54f87e2aa686a713e301522fb4ad6718176a8ef3d43d66aa3546a694542c5a87f7a8f7
-
Filesize
6KB
MD5954180776d3d07deb985f612be9ea895
SHA13db48020919dd35717bf88bd3c164f0652aba20e
SHA25652944b7fdd7d525c95d5fd77e7b79a1900b515223524bd62014ba95062c785d2
SHA5126d9c7fa44c25d276a2dfd3b1acf1f153553fedd840a5b49baa842aa61d44b4a6643bf661f064662c6195ce42e472505e4aad1f6b0f82da4a4af01e80e6bcb3af
-
Filesize
172KB
MD5ffd27be93a8c1f9467f0019882922ae7
SHA1edd08d9e5a48f974ff34fb83b83d4aa5eb7b79dd
SHA2560741ad6ea473b4d9f47570cdbea6f8a10ffb299ec3ef717e93892bbc1b48fc41
SHA5129fd870260a69e30c185a74bc8143dc46186160221e5ca747a5d54e01b952784ae344e2c45028e849f7dae0678355487ff9299c8ad3041c1ad103425dbfef4911
-
Filesize
172KB
MD5ffd27be93a8c1f9467f0019882922ae7
SHA1edd08d9e5a48f974ff34fb83b83d4aa5eb7b79dd
SHA2560741ad6ea473b4d9f47570cdbea6f8a10ffb299ec3ef717e93892bbc1b48fc41
SHA5129fd870260a69e30c185a74bc8143dc46186160221e5ca747a5d54e01b952784ae344e2c45028e849f7dae0678355487ff9299c8ad3041c1ad103425dbfef4911