Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
34s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23/11/2022, 20:54
Static task
static1
Behavioral task
behavioral1
Sample
0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca.exe
Resource
win10v2004-20221111-en
General
-
Target
0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca.exe
-
Size
202KB
-
MD5
6c33623044bed83d7ab579bb8dff8fea
-
SHA1
1181d74579c8eccc84ea5ceaf5eb85bc8934dc99
-
SHA256
0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca
-
SHA512
55528c731445b86dceb5ca06bea56dbe240e3af1b4976955abe49fb16391ae24163f5d47a33f048ec1f74c093c38124c2750a90a716f219c10e7331bb95c9c2c
-
SSDEEP
3072:sUhH+lIxpQoyjeRhDMiERHi+Oaf9ZJq8/Ng8TTeYEUhOrGp2:V+qXDyShD0Fi+df9ZYaJmYZA0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1252 LocalhhNFCSRcmz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1252 LocalhhNFCSRcmz.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1792 wrote to memory of 1252 1792 0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca.exe 28 PID 1792 wrote to memory of 1252 1792 0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca.exe 28 PID 1792 wrote to memory of 1252 1792 0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca.exe 28 PID 1792 wrote to memory of 1252 1792 0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca.exe"C:\Users\Admin\AppData\Local\Temp\0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Users\Admin\AppData\LocalhhNFCSRcmz.exe"C:\Users\Admin\AppData\LocalhhNFCSRcmz.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1252
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD58ade27886bd4b45661361a87ff22540d
SHA1705d67ad604f5a2ed770a8025299405ee665beac
SHA256c1528516efee7e396698ce83ddb177e83e797b3df6f6de1c60421239e67dc942
SHA5126d62f9197ddcbd0ede17686398dc527946a47fb48860e3c054cbd365bf630d44eba418652798ef8a1eded8c800d5b7c87d9d8742d3061ff7a629809c8958800a
-
Filesize
72KB
MD58ade27886bd4b45661361a87ff22540d
SHA1705d67ad604f5a2ed770a8025299405ee665beac
SHA256c1528516efee7e396698ce83ddb177e83e797b3df6f6de1c60421239e67dc942
SHA5126d62f9197ddcbd0ede17686398dc527946a47fb48860e3c054cbd365bf630d44eba418652798ef8a1eded8c800d5b7c87d9d8742d3061ff7a629809c8958800a