Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
90s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30/10/2022, 16:12
Static task
static1
Behavioral task
behavioral1
Sample
d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
Resource
win10v2004-20220812-en
General
-
Target
d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
-
Size
392KB
-
MD5
82805fe0c771d3d7660012d0e5d63060
-
SHA1
e762d3caf6d045e66f2d9ba5a2ce3bd65c0b6600
-
SHA256
d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb
-
SHA512
aadc35efe7618be3c2b344063146091916223402ab75b824f1fc9520355c7292ab0e6f78fb25748e4b56199d0592e3f136806516a23cae3e1be41f326740c44d
-
SSDEEP
12288:tt8vVED3Bk0Mr9Vif7/F1hIIaYHuvAIS23:tt+gvMpVij/F1hV5HuvAId
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 1976 achsv.exe 2040 COM7.EXE 1980 COM7.EXE 1748 achsv.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PDF FoxitReader.exe achsv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PDF FoxitReader.exe COM7.EXE -
Loads dropped DLL 8 IoCs
pid Process 968 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 968 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 968 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 968 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 1976 achsv.exe 1976 achsv.exe 2040 COM7.EXE 2040 COM7.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\COMLOADER = "\\\\.\\C:\\Program Files\\FoxitReader\\bin\\COM7.EXE" reg.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\FoxitReader\bin\COM7.EXE COM7.EXE File created C:\Program Files\FoxitReader\FoxitReader.exe COM7.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 1 IoCs
pid Process 1100 reg.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 968 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 1976 achsv.exe 2040 COM7.EXE 968 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 968 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 968 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 1980 COM7.EXE 968 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 968 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 968 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 968 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 1748 achsv.exe 968 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 968 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 968 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 968 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 2040 COM7.EXE 968 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 2040 COM7.EXE 968 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 2040 COM7.EXE 968 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 2040 COM7.EXE 968 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 2040 COM7.EXE 968 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 2040 COM7.EXE 968 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 2040 COM7.EXE 968 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 2040 COM7.EXE 968 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 2040 COM7.EXE 968 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 2040 COM7.EXE 968 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1976 achsv.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 968 wrote to memory of 1976 968 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 27 PID 968 wrote to memory of 1976 968 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 27 PID 968 wrote to memory of 1976 968 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 27 PID 968 wrote to memory of 1976 968 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 27 PID 968 wrote to memory of 2040 968 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 28 PID 968 wrote to memory of 2040 968 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 28 PID 968 wrote to memory of 2040 968 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 28 PID 968 wrote to memory of 2040 968 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 28 PID 1976 wrote to memory of 1980 1976 achsv.exe 29 PID 1976 wrote to memory of 1980 1976 achsv.exe 29 PID 1976 wrote to memory of 1980 1976 achsv.exe 29 PID 1976 wrote to memory of 1980 1976 achsv.exe 29 PID 2040 wrote to memory of 1100 2040 COM7.EXE 30 PID 2040 wrote to memory of 1100 2040 COM7.EXE 30 PID 2040 wrote to memory of 1100 2040 COM7.EXE 30 PID 2040 wrote to memory of 1100 2040 COM7.EXE 30 PID 2040 wrote to memory of 1748 2040 COM7.EXE 32 PID 2040 wrote to memory of 1748 2040 COM7.EXE 32 PID 2040 wrote to memory of 1748 2040 COM7.EXE 32 PID 2040 wrote to memory of 1748 2040 COM7.EXE 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe"C:\Users\Admin\AppData\Local\Temp\d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1980
-
-
-
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v COMLOADER /d "\\.\C:\Program Files\FoxitReader\bin\COM7.EXE"3⤵
- Adds Run key to start application
- Modifies registry key
PID:1100
-
-
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1748
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
392KB
MD57fea966d846b91cd0e1dfa19145dd29f
SHA11991f0b24061e46a23271ee2040c153cf5ca53c3
SHA2567e24965e317ef3878d6f9069861ceeaf22bcc765ad5636ad624c04de997b531a
SHA512b3c08c1d38d7d02e465e8f493f4643bd0344341643c7d8db03e2751306e748608ca3a79c0d585840d99811b357229907f35e1b98c811512646209ceec160c576
-
Filesize
392KB
MD57fea966d846b91cd0e1dfa19145dd29f
SHA11991f0b24061e46a23271ee2040c153cf5ca53c3
SHA2567e24965e317ef3878d6f9069861ceeaf22bcc765ad5636ad624c04de997b531a
SHA512b3c08c1d38d7d02e465e8f493f4643bd0344341643c7d8db03e2751306e748608ca3a79c0d585840d99811b357229907f35e1b98c811512646209ceec160c576
-
Filesize
392KB
MD57fea966d846b91cd0e1dfa19145dd29f
SHA11991f0b24061e46a23271ee2040c153cf5ca53c3
SHA2567e24965e317ef3878d6f9069861ceeaf22bcc765ad5636ad624c04de997b531a
SHA512b3c08c1d38d7d02e465e8f493f4643bd0344341643c7d8db03e2751306e748608ca3a79c0d585840d99811b357229907f35e1b98c811512646209ceec160c576
-
Filesize
392KB
MD5561f24a4e09b57c56909bcce5ea5a924
SHA1f987f1b19a8b129160e760df67c8d5eea27166a3
SHA256bbd90fa5b5f6c5edd400950043b97a3a3255508bdefd350e66a84ad2a21d3419
SHA51269f88b6516178be98ba7f7c837cfcbe3691ba38a6508bcf33eb30e1ef94045018390750ba68ae9299fe1dfd76cdad4aa02eab4b1178359d527caf26bb88c8dcb
-
Filesize
392KB
MD5561f24a4e09b57c56909bcce5ea5a924
SHA1f987f1b19a8b129160e760df67c8d5eea27166a3
SHA256bbd90fa5b5f6c5edd400950043b97a3a3255508bdefd350e66a84ad2a21d3419
SHA51269f88b6516178be98ba7f7c837cfcbe3691ba38a6508bcf33eb30e1ef94045018390750ba68ae9299fe1dfd76cdad4aa02eab4b1178359d527caf26bb88c8dcb
-
Filesize
392KB
MD5561f24a4e09b57c56909bcce5ea5a924
SHA1f987f1b19a8b129160e760df67c8d5eea27166a3
SHA256bbd90fa5b5f6c5edd400950043b97a3a3255508bdefd350e66a84ad2a21d3419
SHA51269f88b6516178be98ba7f7c837cfcbe3691ba38a6508bcf33eb30e1ef94045018390750ba68ae9299fe1dfd76cdad4aa02eab4b1178359d527caf26bb88c8dcb
-
Filesize
392KB
MD57fea966d846b91cd0e1dfa19145dd29f
SHA11991f0b24061e46a23271ee2040c153cf5ca53c3
SHA2567e24965e317ef3878d6f9069861ceeaf22bcc765ad5636ad624c04de997b531a
SHA512b3c08c1d38d7d02e465e8f493f4643bd0344341643c7d8db03e2751306e748608ca3a79c0d585840d99811b357229907f35e1b98c811512646209ceec160c576
-
Filesize
392KB
MD57fea966d846b91cd0e1dfa19145dd29f
SHA11991f0b24061e46a23271ee2040c153cf5ca53c3
SHA2567e24965e317ef3878d6f9069861ceeaf22bcc765ad5636ad624c04de997b531a
SHA512b3c08c1d38d7d02e465e8f493f4643bd0344341643c7d8db03e2751306e748608ca3a79c0d585840d99811b357229907f35e1b98c811512646209ceec160c576
-
Filesize
392KB
MD57fea966d846b91cd0e1dfa19145dd29f
SHA11991f0b24061e46a23271ee2040c153cf5ca53c3
SHA2567e24965e317ef3878d6f9069861ceeaf22bcc765ad5636ad624c04de997b531a
SHA512b3c08c1d38d7d02e465e8f493f4643bd0344341643c7d8db03e2751306e748608ca3a79c0d585840d99811b357229907f35e1b98c811512646209ceec160c576
-
Filesize
392KB
MD57fea966d846b91cd0e1dfa19145dd29f
SHA11991f0b24061e46a23271ee2040c153cf5ca53c3
SHA2567e24965e317ef3878d6f9069861ceeaf22bcc765ad5636ad624c04de997b531a
SHA512b3c08c1d38d7d02e465e8f493f4643bd0344341643c7d8db03e2751306e748608ca3a79c0d585840d99811b357229907f35e1b98c811512646209ceec160c576
-
Filesize
392KB
MD5561f24a4e09b57c56909bcce5ea5a924
SHA1f987f1b19a8b129160e760df67c8d5eea27166a3
SHA256bbd90fa5b5f6c5edd400950043b97a3a3255508bdefd350e66a84ad2a21d3419
SHA51269f88b6516178be98ba7f7c837cfcbe3691ba38a6508bcf33eb30e1ef94045018390750ba68ae9299fe1dfd76cdad4aa02eab4b1178359d527caf26bb88c8dcb
-
Filesize
392KB
MD5561f24a4e09b57c56909bcce5ea5a924
SHA1f987f1b19a8b129160e760df67c8d5eea27166a3
SHA256bbd90fa5b5f6c5edd400950043b97a3a3255508bdefd350e66a84ad2a21d3419
SHA51269f88b6516178be98ba7f7c837cfcbe3691ba38a6508bcf33eb30e1ef94045018390750ba68ae9299fe1dfd76cdad4aa02eab4b1178359d527caf26bb88c8dcb
-
Filesize
392KB
MD5561f24a4e09b57c56909bcce5ea5a924
SHA1f987f1b19a8b129160e760df67c8d5eea27166a3
SHA256bbd90fa5b5f6c5edd400950043b97a3a3255508bdefd350e66a84ad2a21d3419
SHA51269f88b6516178be98ba7f7c837cfcbe3691ba38a6508bcf33eb30e1ef94045018390750ba68ae9299fe1dfd76cdad4aa02eab4b1178359d527caf26bb88c8dcb
-
Filesize
392KB
MD5561f24a4e09b57c56909bcce5ea5a924
SHA1f987f1b19a8b129160e760df67c8d5eea27166a3
SHA256bbd90fa5b5f6c5edd400950043b97a3a3255508bdefd350e66a84ad2a21d3419
SHA51269f88b6516178be98ba7f7c837cfcbe3691ba38a6508bcf33eb30e1ef94045018390750ba68ae9299fe1dfd76cdad4aa02eab4b1178359d527caf26bb88c8dcb