Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

02/11/2022, 07:35

221102-jeqmhaaca2 6

02/11/2022, 07:27

221102-jak68aabg7 1

02/11/2022, 07:14

221102-h2phaaabc6 6

02/11/2022, 07:10

221102-hzkrbaaba8 6

Analysis

  • max time kernel
    133s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    02/11/2022, 07:27

General

  • Target

    23adb09c91783fa30d2be70048efa52dd20ebd90d7cc0c33ed4a91b0fb3020d1.pdf

  • Size

    123KB

  • MD5

    5beb7c5ff96ef2dc04a9819c202b763c

  • SHA1

    da443ec9803434c6889d1ce29b68eba49410077d

  • SHA256

    23adb09c91783fa30d2be70048efa52dd20ebd90d7cc0c33ed4a91b0fb3020d1

  • SHA512

    07d180e2def2e3deda4f8b473ad8ff1dc9e2a86535f26b03c6d2322a2eca4a06732ca64d051494380027493cd5c2b1e4252f3261af66d53e9d4b192b60785af7

  • SSDEEP

    3072:CCiI2W/+oGlhxbRg5NpmqeBAmizCXNse6+rACvt2cq2p0FVbO7LcCDOrdUx07+:CW/+oGfk3mEmizuNse6SACvt2cSVbO7p

Score
1/10

Malware Config

Signatures

  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs

Processes

  • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\23adb09c91783fa30d2be70048efa52dd20ebd90d7cc0c33ed4a91b0fb3020d1.pdf"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    PID:1256
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1408
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x14c
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:664
    • C:\Windows\System32\ynas2bhrqzjry.exe
      "C:\Windows\System32\ynas2bhrqzjry.exe"
      1⤵
        PID:1748
      • C:\Windows\System32\fviekyzwyro4u.exe
        "C:\Windows\System32\fviekyzwyro4u.exe"
        1⤵
          PID:1556
        • C:\Windows\system32\wermgr.exe
          "C:\Windows\system32\wermgr.exe" "-outproc" "1208" "3768"
          1⤵
            PID:1788
          • C:\Windows\System32\fviekyzwyro4u.exe
            "C:\Windows\System32\fviekyzwyro4u.exe"
            1⤵
              PID:240
            • C:\Windows\system32\wermgr.exe
              "C:\Windows\system32\wermgr.exe" "-outproc" "1208" "3732"
              1⤵
                PID:580
              • C:\Windows\system32\wermgr.exe
                "C:\Windows\system32\wermgr.exe" "-outproc" "1208" "3788"
                1⤵
                  PID:1672
                • C:\Windows\System32\ynas2bhrqzjry.exe
                  "C:\Windows\System32\ynas2bhrqzjry.exe"
                  1⤵
                    PID:1700
                  • C:\Windows\system32\NOTEPAD.EXE
                    "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\System32\PerfStringBackup.INI
                    1⤵
                    • Opens file in notepad (likely ransom note)
                    PID:1536

                  Network

                  MITRE ATT&CK Matrix

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/1256-54-0x0000000075C61000-0x0000000075C63000-memory.dmp

                    Filesize

                    8KB

                  • memory/1408-55-0x000007FEFB5B1000-0x000007FEFB5B3000-memory.dmp

                    Filesize

                    8KB

                  • memory/1748-56-0x0000000140000000-0x00000001405E8000-memory.dmp

                    Filesize

                    5.9MB