Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
02/11/2022, 07:35
221102-jeqmhaaca2 602/11/2022, 07:27
221102-jak68aabg7 102/11/2022, 07:14
221102-h2phaaabc6 602/11/2022, 07:10
221102-hzkrbaaba8 6Analysis
-
max time kernel
133s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02/11/2022, 07:27
Static task
static1
Behavioral task
behavioral1
Sample
23adb09c91783fa30d2be70048efa52dd20ebd90d7cc0c33ed4a91b0fb3020d1.pdf
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
23adb09c91783fa30d2be70048efa52dd20ebd90d7cc0c33ed4a91b0fb3020d1.pdf
Resource
win10v2004-20220812-en
General
-
Target
23adb09c91783fa30d2be70048efa52dd20ebd90d7cc0c33ed4a91b0fb3020d1.pdf
-
Size
123KB
-
MD5
5beb7c5ff96ef2dc04a9819c202b763c
-
SHA1
da443ec9803434c6889d1ce29b68eba49410077d
-
SHA256
23adb09c91783fa30d2be70048efa52dd20ebd90d7cc0c33ed4a91b0fb3020d1
-
SHA512
07d180e2def2e3deda4f8b473ad8ff1dc9e2a86535f26b03c6d2322a2eca4a06732ca64d051494380027493cd5c2b1e4252f3261af66d53e9d4b192b60785af7
-
SSDEEP
3072:CCiI2W/+oGlhxbRg5NpmqeBAmizCXNse6+rACvt2cq2p0FVbO7LcCDOrdUx07+:CW/+oGfk3mEmizuNse6SACvt2cSVbO7p
Malware Config
Signatures
-
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1536 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1256 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 664 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 664 AUDIODG.EXE Token: 33 664 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 664 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1256 AcroRd32.exe 1256 AcroRd32.exe 1256 AcroRd32.exe
Processes
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\23adb09c91783fa30d2be70048efa52dd20ebd90d7cc0c33ed4a91b0fb3020d1.pdf"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1256
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1408
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x14c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:664
-
C:\Windows\System32\ynas2bhrqzjry.exe"C:\Windows\System32\ynas2bhrqzjry.exe"1⤵PID:1748
-
C:\Windows\System32\fviekyzwyro4u.exe"C:\Windows\System32\fviekyzwyro4u.exe"1⤵PID:1556
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1208" "3768"1⤵PID:1788
-
C:\Windows\System32\fviekyzwyro4u.exe"C:\Windows\System32\fviekyzwyro4u.exe"1⤵PID:240
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1208" "3732"1⤵PID:580
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1208" "3788"1⤵PID:1672
-
C:\Windows\System32\ynas2bhrqzjry.exe"C:\Windows\System32\ynas2bhrqzjry.exe"1⤵PID:1700
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\System32\PerfStringBackup.INI1⤵
- Opens file in notepad (likely ransom note)
PID:1536