Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24/11/2022, 02:15
Static task
static1
Behavioral task
behavioral1
Sample
efde3def3c71c75ae4ffbc14aae423e9465df6fa6c9aa216dd9ad9aeaae99c81.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
efde3def3c71c75ae4ffbc14aae423e9465df6fa6c9aa216dd9ad9aeaae99c81.exe
Resource
win10v2004-20220812-en
General
-
Target
efde3def3c71c75ae4ffbc14aae423e9465df6fa6c9aa216dd9ad9aeaae99c81.exe
-
Size
95KB
-
MD5
52ade70bdce34f5f96081b37e5602abe
-
SHA1
c33d523c439e372b5c9a5936c24400b376bddab1
-
SHA256
efde3def3c71c75ae4ffbc14aae423e9465df6fa6c9aa216dd9ad9aeaae99c81
-
SHA512
cade8ed0b1219730afb438c2dc776aa789aa09cffb42cdb63dd4377f57b508210ebe18bfbf751e1dd4f98d719257c0ee2d02e782c30cac4d64c58965e0430734
-
SSDEEP
1536:S5SQJFvvonH+gwSXauHCNHAmp2cF1upoXtG4rwcwQtpsoy1UC:S84+mpf1pG4rwcwQtpsoy1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1708 mgruuii.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 1716 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ee453408f2795b31d01edc534b34ae49.exe mgruuii.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ee453408f2795b31d01edc534b34ae49.exe mgruuii.exe -
Loads dropped DLL 1 IoCs
pid Process 1920 efde3def3c71c75ae4ffbc14aae423e9465df6fa6c9aa216dd9ad9aeaae99c81.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 1708 mgruuii.exe Token: 33 1708 mgruuii.exe Token: SeIncBasePriorityPrivilege 1708 mgruuii.exe Token: 33 1708 mgruuii.exe Token: SeIncBasePriorityPrivilege 1708 mgruuii.exe Token: 33 1708 mgruuii.exe Token: SeIncBasePriorityPrivilege 1708 mgruuii.exe Token: 33 1708 mgruuii.exe Token: SeIncBasePriorityPrivilege 1708 mgruuii.exe Token: 33 1708 mgruuii.exe Token: SeIncBasePriorityPrivilege 1708 mgruuii.exe Token: 33 1708 mgruuii.exe Token: SeIncBasePriorityPrivilege 1708 mgruuii.exe Token: 33 1708 mgruuii.exe Token: SeIncBasePriorityPrivilege 1708 mgruuii.exe Token: 33 1708 mgruuii.exe Token: SeIncBasePriorityPrivilege 1708 mgruuii.exe Token: 33 1708 mgruuii.exe Token: SeIncBasePriorityPrivilege 1708 mgruuii.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1920 wrote to memory of 1708 1920 efde3def3c71c75ae4ffbc14aae423e9465df6fa6c9aa216dd9ad9aeaae99c81.exe 28 PID 1920 wrote to memory of 1708 1920 efde3def3c71c75ae4ffbc14aae423e9465df6fa6c9aa216dd9ad9aeaae99c81.exe 28 PID 1920 wrote to memory of 1708 1920 efde3def3c71c75ae4ffbc14aae423e9465df6fa6c9aa216dd9ad9aeaae99c81.exe 28 PID 1920 wrote to memory of 1708 1920 efde3def3c71c75ae4ffbc14aae423e9465df6fa6c9aa216dd9ad9aeaae99c81.exe 28 PID 1708 wrote to memory of 1716 1708 mgruuii.exe 29 PID 1708 wrote to memory of 1716 1708 mgruuii.exe 29 PID 1708 wrote to memory of 1716 1708 mgruuii.exe 29 PID 1708 wrote to memory of 1716 1708 mgruuii.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\efde3def3c71c75ae4ffbc14aae423e9465df6fa6c9aa216dd9ad9aeaae99c81.exe"C:\Users\Admin\AppData\Local\Temp\efde3def3c71c75ae4ffbc14aae423e9465df6fa6c9aa216dd9ad9aeaae99c81.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\mgruuii.exe"C:\Users\Admin\AppData\Local\Temp\mgruuii.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\mgruuii.exe" "mgruuii.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1716
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD552ade70bdce34f5f96081b37e5602abe
SHA1c33d523c439e372b5c9a5936c24400b376bddab1
SHA256efde3def3c71c75ae4ffbc14aae423e9465df6fa6c9aa216dd9ad9aeaae99c81
SHA512cade8ed0b1219730afb438c2dc776aa789aa09cffb42cdb63dd4377f57b508210ebe18bfbf751e1dd4f98d719257c0ee2d02e782c30cac4d64c58965e0430734
-
Filesize
95KB
MD552ade70bdce34f5f96081b37e5602abe
SHA1c33d523c439e372b5c9a5936c24400b376bddab1
SHA256efde3def3c71c75ae4ffbc14aae423e9465df6fa6c9aa216dd9ad9aeaae99c81
SHA512cade8ed0b1219730afb438c2dc776aa789aa09cffb42cdb63dd4377f57b508210ebe18bfbf751e1dd4f98d719257c0ee2d02e782c30cac4d64c58965e0430734
-
Filesize
95KB
MD552ade70bdce34f5f96081b37e5602abe
SHA1c33d523c439e372b5c9a5936c24400b376bddab1
SHA256efde3def3c71c75ae4ffbc14aae423e9465df6fa6c9aa216dd9ad9aeaae99c81
SHA512cade8ed0b1219730afb438c2dc776aa789aa09cffb42cdb63dd4377f57b508210ebe18bfbf751e1dd4f98d719257c0ee2d02e782c30cac4d64c58965e0430734