Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23/11/2022, 19:04
Static task
static1
Behavioral task
behavioral1
Sample
19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b.exe
Resource
win10v2004-20220812-en
General
-
Target
19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b.exe
-
Size
227KB
-
MD5
a6bb070d438a766d4966ce5ff0a57e0d
-
SHA1
38daa2d784f17e3f1046c246bca874698ab65e9c
-
SHA256
19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b
-
SHA512
8a9757daad0c9456118f10b19cd5910f0b90391da02271a4cd11b2c159a3d1c16a7d6e2181178284f00358294397b9db4479a016aacc83ddc52606c5a9b163cc
-
SSDEEP
6144:+9o7tHiKg02IwLgnIgRdS6rxKJksoddmwEVT9:6AHiKgHUd9xKJkuz9
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 5 1880 wscript.exe 7 1880 wscript.exe 9 1880 wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 wscript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 wscript.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2032 PING.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 952 DllHost.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 868 wrote to memory of 2032 868 19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b.exe 27 PID 868 wrote to memory of 2032 868 19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b.exe 27 PID 868 wrote to memory of 2032 868 19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b.exe 27 PID 868 wrote to memory of 2032 868 19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b.exe 27 PID 868 wrote to memory of 1752 868 19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b.exe 30 PID 868 wrote to memory of 1752 868 19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b.exe 30 PID 868 wrote to memory of 1752 868 19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b.exe 30 PID 868 wrote to memory of 1752 868 19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b.exe 30 PID 868 wrote to memory of 1776 868 19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b.exe 32 PID 868 wrote to memory of 1776 868 19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b.exe 32 PID 868 wrote to memory of 1776 868 19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b.exe 32 PID 868 wrote to memory of 1776 868 19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b.exe 32 PID 1776 wrote to memory of 1880 1776 cmd.exe 34 PID 1776 wrote to memory of 1880 1776 cmd.exe 34 PID 1776 wrote to memory of 1880 1776 cmd.exe 34 PID 1776 wrote to memory of 1880 1776 cmd.exe 34 PID 1880 wrote to memory of 1472 1880 wscript.exe 37 PID 1880 wrote to memory of 1472 1880 wscript.exe 37 PID 1880 wrote to memory of 1472 1880 wscript.exe 37 PID 1880 wrote to memory of 1472 1880 wscript.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b.exe"C:\Users\Admin\AppData\Local\Temp\19c22a4ef415fc47c32bd6b351da57938c70574a2b7d223607c123743a07af9b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\PING.EXE"C:\Windows\System32\PING.EXE" 127.0.0.1 -n 12⤵
- Runs ping.exe
PID:2032
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c if exist "C:\Users\Admin\AppData\Roaming\566bbee0f961ad71b54c3c2fd36db053.bin" del /f /q "C:\Users\Admin\AppData\Roaming\566bbee0f961ad71b54c3c2fd36db053.js"&exit2⤵PID:1752
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c if exist "C:\Users\Admin\AppData\Roaming\566bbee0f961ad71b54c3c2fd36db053.js" start wscript.exe //B //Nologo //T:360 "C:\Users\Admin\AppData\Roaming\566bbee0f961ad71b54c3c2fd36db053.js"2⤵
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\wscript.exewscript.exe //B //Nologo //T:360 "C:\Users\Admin\AppData\Roaming\566bbee0f961ad71b54c3c2fd36db053.js"3⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\566bbee0f961ad71b54c3c2fd36db053.cmd" "4⤵PID:1472
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:952
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
125KB
MD53c2de6d4c2dfecf633e801fd73fdabc4
SHA1a0d0b824571d9cc621e01c06319d6e546a6a0e25
SHA256ccd2e89fe77045544f6da21250535cc61c0e5a4f5702a4b8ba7930549a8fed42
SHA51218b4b52f02f65bb1a11c01664b76f27dc0a9ab610802ed66fccc36e2f174eaabb6fe746689437191d7c9e7e06eee5103be0eed5bbd4b00ec39b97611d4ad7d49
-
Filesize
68KB
MD5fb5e07870199d63c34448b68a84912ee
SHA1b6e46748c5c5a5d902e20f6e2d45064d3ca4050e
SHA25603d233031c6d3f6293d82c14e81334935c43a8651d619de4dcdca9dd20e86ffa
SHA5124c6b8be2710fffff3c3a58bc8d3f803e11308a68e4513f8ffe625d7436d242c6c71203c5b2b6b0b738754bdadbb2e97d6933fb7a10a5dc366ababe8e03250c65
-
Filesize
860B
MD512558d0bf7d69db70988530eafffeb53
SHA1e594eacae5147c953f4b57d3ed3449a7699e3078
SHA2564f2c8969cd573fc8408df3449c88ae1c7f34afa2a176a8fc1e5a68ed3dcf4fde
SHA512b88ea05c76beb9ba83640df2991b1990ea396550b71a7bfc10198667f7e537539fc68836be302d276aa1a6d2cb2b34aedc3f01c550cde54ae2857136a63d2f03