Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
08/11/2022, 12:03
Static task
static1
Behavioral task
behavioral1
Sample
test.exe
Resource
win7-20220812-en
General
-
Target
test.exe
-
Size
2.7MB
-
MD5
8fd4a4a504f74b802bfdaf03ec95a036
-
SHA1
ef941774c3c50582ffaae6cfce6f18e50b7cf5d2
-
SHA256
14bdd5687f39ec45ec665c360a96e503e0d6abfcb5ce7dc7285cbf2c16e9b92f
-
SHA512
257f8084312bfbff3465cc5c484c7218f5bda1fa8b820c358ae40b6384e24373763d1f805d1e8d85a5418fc51c8d80959edf673ff3a467f2f523a6a2c53c45ba
-
SSDEEP
49152:IBJhO6U1TlVSlRRltLYRd9mJ61KcWRN92hz61IiEEI3gL0td49T1LSqah:yjO6U1hVSlR/te2cPo+iI4z+P
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1292 Mutual_67.pdf.exe -
Loads dropped DLL 2 IoCs
pid Process 1476 test.exe 1476 test.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 556 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 556 AcroRd32.exe 556 AcroRd32.exe 556 AcroRd32.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1476 wrote to memory of 1292 1476 test.exe 27 PID 1476 wrote to memory of 1292 1476 test.exe 27 PID 1476 wrote to memory of 1292 1476 test.exe 27 PID 1476 wrote to memory of 1292 1476 test.exe 27 PID 1292 wrote to memory of 2024 1292 Mutual_67.pdf.exe 28 PID 1292 wrote to memory of 2024 1292 Mutual_67.pdf.exe 28 PID 1292 wrote to memory of 2024 1292 Mutual_67.pdf.exe 28 PID 2024 wrote to memory of 720 2024 cmd.exe 30 PID 2024 wrote to memory of 720 2024 cmd.exe 30 PID 2024 wrote to memory of 720 2024 cmd.exe 30 PID 2024 wrote to memory of 556 2024 cmd.exe 31 PID 2024 wrote to memory of 556 2024 cmd.exe 31 PID 2024 wrote to memory of 556 2024 cmd.exe 31 PID 2024 wrote to memory of 556 2024 cmd.exe 31 PID 720 wrote to memory of 296 720 WScript.exe 32 PID 720 wrote to memory of 296 720 WScript.exe 32 PID 720 wrote to memory of 296 720 WScript.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\Mutual_67.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Mutual_67.pdf.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7427.tmp\7428.tmp\7429.bat C:\Users\Admin\AppData\Local\Temp\Mutual_67.pdf.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\name.js"4⤵
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Windows\System32\cmdkey.exe"C:\Windows\System32\cmdkey.exe" /generic:Microsoft_Windows_Shell_ZipFolder:filename=C:\Users\Admin\AppData\Local\Temp\2510c_cr69.zip /pass:kLjBEyO /user:""5⤵PID:296
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Mutual.pdf"4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:556
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD538c904eb3b649ccd3cbf61d57b76c046
SHA11a699545e71e81c4c04ca1894bc3be9cc8f024b1
SHA2564e58072d8f22782ef8e4e5a97ac7178cc7cd9a69b925ffe71537e79097263924
SHA512a3613cd67349f05a1c4441202b100beac89ac0462f05586bed65bc28041488b03891dd86f7e80eb24ae2834a1b6929368db6d5f13a0d58904c3157e9a6363c86
-
Filesize
70KB
MD59672b8df2bfb3d9435b85e477dfead51
SHA1be76ec9e0b5f903afea0943e9bbc7ffd6ef2766f
SHA25673c818b60eea60e6c1a1e5688a373c6b8376ca4ea2ff269695fe6eeef134b3c8
SHA512d3709875302560b329c6588c33a0fb7bf0083992298e9e26cd8282537f1224f720153df95af7fbc46b53531ba9fe8ff8af5370e9b7dc120a783e0fa44f4501b0
-
Filesize
316KB
MD5982bf5b99b3ca20cfc0d93444ca1c40d
SHA177a6d8b1b01863ffd68bd0030b3b6122c4f6e1da
SHA2567b83d9b8592def23e8ca5075c4d13e8c008bdb5f8a04763c57a5d56e14e3c1e1
SHA512d1a0ffe634f4fff5427e5efd399146d7acb02ba582425e3b69ed5dd796e77caa29c37f50cfa544ad57e0f926f768336ee24a8132c1ea4ab5f3d27dd3c6edd508
-
Filesize
2.9MB
MD5a9f348be577f108d379aad0028581b62
SHA11b40e0080a659f9be8bc5f7d6ca55f455a8878d2
SHA2569738196ea440301b0666fb6553b69e79ca60a563b6577d77d40aa871ed25c366
SHA5126cb731f4f822de8a27738c1613e3633cc5c090f801dfb696f1c0eea6d389836be99c591e30886cceb895cf538b908ffa958c3ecebe7990032a9b265ed0b55274
-
Filesize
316KB
MD5982bf5b99b3ca20cfc0d93444ca1c40d
SHA177a6d8b1b01863ffd68bd0030b3b6122c4f6e1da
SHA2567b83d9b8592def23e8ca5075c4d13e8c008bdb5f8a04763c57a5d56e14e3c1e1
SHA512d1a0ffe634f4fff5427e5efd399146d7acb02ba582425e3b69ed5dd796e77caa29c37f50cfa544ad57e0f926f768336ee24a8132c1ea4ab5f3d27dd3c6edd508
-
Filesize
316KB
MD5982bf5b99b3ca20cfc0d93444ca1c40d
SHA177a6d8b1b01863ffd68bd0030b3b6122c4f6e1da
SHA2567b83d9b8592def23e8ca5075c4d13e8c008bdb5f8a04763c57a5d56e14e3c1e1
SHA512d1a0ffe634f4fff5427e5efd399146d7acb02ba582425e3b69ed5dd796e77caa29c37f50cfa544ad57e0f926f768336ee24a8132c1ea4ab5f3d27dd3c6edd508