Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

23ed589b5e...87.exe

windows7-x64

10

23ed589b5e...87.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    77s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    21/11/2022, 11:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    23ed589b5e30005891dc957cad1efb9df5587512d820b0ed6d9c9cf958a39987.exe

  • Size

    746KB

  • MD5

    1a1edddace03ddef321c864e150785d1

  • SHA1

    fc36161ff998afd44fd15f82c94a48a60ff6a801

  • SHA256

    23ed589b5e30005891dc957cad1efb9df5587512d820b0ed6d9c9cf958a39987

  • SHA512

    2840795eb0961c89db8c87d316cb43a2f94467452868bbfd9ccf06e9d18cf3e6f42eb59eafbbcaaff7962131b66e5e3d74e7df7ac336210e7dd41b1f0956d516

  • SSDEEP

    6144:a+nglw9ayQv3ahvyn/PU7O0KXgTTSj9ltfgIg+oaAhIXbO9qsWSM:rjS3Yvyn/0TkLFYsqTM

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\23ed589b5e30005891dc957cad1efb9df5587512d820b0ed6d9c9cf958a39987.exe
    "C:\Users\Admin\AppData\Local\Temp\23ed589b5e30005891dc957cad1efb9df5587512d820b0ed6d9c9cf958a39987.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v freizer /t REG_SZ /d C:\WINDOWS\system32\freizer.exe /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1776
      • C:\Windows\SysWOW64\reg.exe
        reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v freizer /t REG_SZ /d C:\WINDOWS\system32\freizer.exe /f
        3⤵
        • Adds Run key to start application
        PID:1564
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d C:\WINDOWS\system32\svchost.exe /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:892
      • C:\Windows\SysWOW64\reg.exe
        reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d C:\WINDOWS\system32\svchost.exe /f
        3⤵
        • Adds Run key to start application
        PID:1748
    • C:\windows\temp\01133.exe
      "C:\windows\temp\01133.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1300

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Temp\01133.exe
    Filesize

    11KB

    MD5

    5ff1667abbd26132c3e2784f3c16878e

    SHA1

    3e9db39bddb6abad25193633e206c57046e8524e

    SHA256

    8663e8ee4644dfd0fcfac08218092fcc5eeea4a2d55a55bccaca0ab2e70bc65c

    SHA512

    5745a57ae14f3a27db41066895d137418ded8291fd5d33e819ac6cb865c80c2947bb52bec41305bf375606ded11a4d7ad9397cb7fc177b8fdba09d0b8818e60e

    Download Submit

  • C:\windows\temp\01133.exe
    Filesize

    11KB

    MD5

    5ff1667abbd26132c3e2784f3c16878e

    SHA1

    3e9db39bddb6abad25193633e206c57046e8524e

    SHA256

    8663e8ee4644dfd0fcfac08218092fcc5eeea4a2d55a55bccaca0ab2e70bc65c

    SHA512

    5745a57ae14f3a27db41066895d137418ded8291fd5d33e819ac6cb865c80c2947bb52bec41305bf375606ded11a4d7ad9397cb7fc177b8fdba09d0b8818e60e

    Download Submit

  • \Windows\Temp\01133.exe
    Filesize

    11KB

    MD5

    5ff1667abbd26132c3e2784f3c16878e

    SHA1

    3e9db39bddb6abad25193633e206c57046e8524e

    SHA256

    8663e8ee4644dfd0fcfac08218092fcc5eeea4a2d55a55bccaca0ab2e70bc65c

    SHA512

    5745a57ae14f3a27db41066895d137418ded8291fd5d33e819ac6cb865c80c2947bb52bec41305bf375606ded11a4d7ad9397cb7fc177b8fdba09d0b8818e60e

    Download Submit

  • \Windows\Temp\01133.exe
    Filesize

    11KB

    MD5

    5ff1667abbd26132c3e2784f3c16878e

    SHA1

    3e9db39bddb6abad25193633e206c57046e8524e

    SHA256

    8663e8ee4644dfd0fcfac08218092fcc5eeea4a2d55a55bccaca0ab2e70bc65c

    SHA512

    5745a57ae14f3a27db41066895d137418ded8291fd5d33e819ac6cb865c80c2947bb52bec41305bf375606ded11a4d7ad9397cb7fc177b8fdba09d0b8818e60e

    Download Submit

  • \Windows\Temp\01133.exe
    Filesize

    11KB

    MD5

    5ff1667abbd26132c3e2784f3c16878e

    SHA1

    3e9db39bddb6abad25193633e206c57046e8524e

    SHA256

    8663e8ee4644dfd0fcfac08218092fcc5eeea4a2d55a55bccaca0ab2e70bc65c

    SHA512

    5745a57ae14f3a27db41066895d137418ded8291fd5d33e819ac6cb865c80c2947bb52bec41305bf375606ded11a4d7ad9397cb7fc177b8fdba09d0b8818e60e

    Download Submit

  • \Windows\Temp\01133.exe
    Filesize

    11KB

    MD5

    5ff1667abbd26132c3e2784f3c16878e

    SHA1

    3e9db39bddb6abad25193633e206c57046e8524e

    SHA256

    8663e8ee4644dfd0fcfac08218092fcc5eeea4a2d55a55bccaca0ab2e70bc65c

    SHA512

    5745a57ae14f3a27db41066895d137418ded8291fd5d33e819ac6cb865c80c2947bb52bec41305bf375606ded11a4d7ad9397cb7fc177b8fdba09d0b8818e60e

    Download Submit

  • memory/2036-54-0x0000000075521000-0x0000000075523000-memory.dmp

    Filesize

    8KB

    Download