Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
105s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07/11/2022, 04:14
Static task
static1
Behavioral task
behavioral1
Sample
52e8e2163c3918de5cb183abe3be134e11d83436d239e78e571fa9c198973fec.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
52e8e2163c3918de5cb183abe3be134e11d83436d239e78e571fa9c198973fec.exe
Resource
win10v2004-20220812-en
General
-
Target
52e8e2163c3918de5cb183abe3be134e11d83436d239e78e571fa9c198973fec.exe
-
Size
307KB
-
MD5
0eaf291e0565a86af393bc576ebf0140
-
SHA1
78ca77d73e696c08c75d0a3ca3d43833f95fbf25
-
SHA256
52e8e2163c3918de5cb183abe3be134e11d83436d239e78e571fa9c198973fec
-
SHA512
1adea0d508fe2c2c2bc793907241467d80644d58cdda0da6269e32148f5f94fff19834a03f59f79ac8f21565acd0e861b4c5a4fe20526a4a584980381fe2ab61
-
SSDEEP
3072:0ulG96P/KdN8HdvkXfIIIIIIIIIIIIIIIIIIIIIIIIIIIIxJIIIIIIIIIIIIIIIS:02Hd8XzKedQBRZFeE7BUBBb9l
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 984 mas.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 1092 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4e60aa717f2e5a2c089f81bb10b9ec25.exe mas.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4e60aa717f2e5a2c089f81bb10b9ec25.exe mas.exe -
Loads dropped DLL 1 IoCs
pid Process 1672 52e8e2163c3918de5cb183abe3be134e11d83436d239e78e571fa9c198973fec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\4e60aa717f2e5a2c089f81bb10b9ec25 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mas.exe\" .." mas.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4e60aa717f2e5a2c089f81bb10b9ec25 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mas.exe\" .." mas.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 984 mas.exe 984 mas.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 984 mas.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1672 wrote to memory of 984 1672 52e8e2163c3918de5cb183abe3be134e11d83436d239e78e571fa9c198973fec.exe 27 PID 1672 wrote to memory of 984 1672 52e8e2163c3918de5cb183abe3be134e11d83436d239e78e571fa9c198973fec.exe 27 PID 1672 wrote to memory of 984 1672 52e8e2163c3918de5cb183abe3be134e11d83436d239e78e571fa9c198973fec.exe 27 PID 1672 wrote to memory of 984 1672 52e8e2163c3918de5cb183abe3be134e11d83436d239e78e571fa9c198973fec.exe 27 PID 984 wrote to memory of 1092 984 mas.exe 28 PID 984 wrote to memory of 1092 984 mas.exe 28 PID 984 wrote to memory of 1092 984 mas.exe 28 PID 984 wrote to memory of 1092 984 mas.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\52e8e2163c3918de5cb183abe3be134e11d83436d239e78e571fa9c198973fec.exe"C:\Users\Admin\AppData\Local\Temp\52e8e2163c3918de5cb183abe3be134e11d83436d239e78e571fa9c198973fec.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\mas.exe"C:\Users\Admin\AppData\Local\Temp\mas.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\mas.exe" "mas.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1092
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD50eaf291e0565a86af393bc576ebf0140
SHA178ca77d73e696c08c75d0a3ca3d43833f95fbf25
SHA25652e8e2163c3918de5cb183abe3be134e11d83436d239e78e571fa9c198973fec
SHA5121adea0d508fe2c2c2bc793907241467d80644d58cdda0da6269e32148f5f94fff19834a03f59f79ac8f21565acd0e861b4c5a4fe20526a4a584980381fe2ab61
-
Filesize
307KB
MD50eaf291e0565a86af393bc576ebf0140
SHA178ca77d73e696c08c75d0a3ca3d43833f95fbf25
SHA25652e8e2163c3918de5cb183abe3be134e11d83436d239e78e571fa9c198973fec
SHA5121adea0d508fe2c2c2bc793907241467d80644d58cdda0da6269e32148f5f94fff19834a03f59f79ac8f21565acd0e861b4c5a4fe20526a4a584980381fe2ab61
-
Filesize
307KB
MD50eaf291e0565a86af393bc576ebf0140
SHA178ca77d73e696c08c75d0a3ca3d43833f95fbf25
SHA25652e8e2163c3918de5cb183abe3be134e11d83436d239e78e571fa9c198973fec
SHA5121adea0d508fe2c2c2bc793907241467d80644d58cdda0da6269e32148f5f94fff19834a03f59f79ac8f21565acd0e861b4c5a4fe20526a4a584980381fe2ab61