Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
205s -
max time network
205s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25/11/2022, 03:26
Static task
static1
Behavioral task
behavioral1
Sample
2b762f3bb41c315c3980d3778e1efc453ed857d563165a4cdc58c844d7fe7a35.exe
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral2
Sample
2b762f3bb41c315c3980d3778e1efc453ed857d563165a4cdc58c844d7fe7a35.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
General
-
Target
2b762f3bb41c315c3980d3778e1efc453ed857d563165a4cdc58c844d7fe7a35.exe
-
Size
277KB
-
MD5
eda44d677d19df0a7b4133f6868452ae
-
SHA1
6446040c726f5936045ff83a6cfe9414bd3459d6
-
SHA256
2b762f3bb41c315c3980d3778e1efc453ed857d563165a4cdc58c844d7fe7a35
-
SHA512
cc3eee000a4fe203149ab3eee9658169bb4eda4cfeae2cd75a5029b73091708cfcf23b52e9031dd98039b2043387fb84c9610dc2e6662347b9749b1dbd66ce28
-
SSDEEP
6144:/CoQdB4uzlGz2XiU4xlYxgdZGEKHPr4n3yJWmdrctll:/0qylGWX4ixgdZGEKH0nmWSrIl
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 1508 taskmgr.exe 1508 taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1724 2b762f3bb41c315c3980d3778e1efc453ed857d563165a4cdc58c844d7fe7a35.exe 1724 2b762f3bb41c315c3980d3778e1efc453ed857d563165a4cdc58c844d7fe7a35.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1724 2b762f3bb41c315c3980d3778e1efc453ed857d563165a4cdc58c844d7fe7a35.exe 1508 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1724 2b762f3bb41c315c3980d3778e1efc453ed857d563165a4cdc58c844d7fe7a35.exe Token: SeDebugPrivilege 1508 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe 1508 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1724 2b762f3bb41c315c3980d3778e1efc453ed857d563165a4cdc58c844d7fe7a35.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1724 wrote to memory of 1508 1724 2b762f3bb41c315c3980d3778e1efc453ed857d563165a4cdc58c844d7fe7a35.exe 28 PID 1724 wrote to memory of 1508 1724 2b762f3bb41c315c3980d3778e1efc453ed857d563165a4cdc58c844d7fe7a35.exe 28 PID 1724 wrote to memory of 1508 1724 2b762f3bb41c315c3980d3778e1efc453ed857d563165a4cdc58c844d7fe7a35.exe 28 PID 1724 wrote to memory of 1508 1724 2b762f3bb41c315c3980d3778e1efc453ed857d563165a4cdc58c844d7fe7a35.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b762f3bb41c315c3980d3778e1efc453ed857d563165a4cdc58c844d7fe7a35.exe"C:\Users\Admin\AppData\Local\Temp\2b762f3bb41c315c3980d3778e1efc453ed857d563165a4cdc58c844d7fe7a35.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1508
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\2b762f3bb41c315c3980d3778e1efc453ed857d563165a4cdc58c844d7fe7a35.exe
Filesize277KB
MD5eda44d677d19df0a7b4133f6868452ae
SHA16446040c726f5936045ff83a6cfe9414bd3459d6
SHA2562b762f3bb41c315c3980d3778e1efc453ed857d563165a4cdc58c844d7fe7a35
SHA512cc3eee000a4fe203149ab3eee9658169bb4eda4cfeae2cd75a5029b73091708cfcf23b52e9031dd98039b2043387fb84c9610dc2e6662347b9749b1dbd66ce28
-
\Users\Admin\AppData\Local\Temp\2b762f3bb41c315c3980d3778e1efc453ed857d563165a4cdc58c844d7fe7a35.exe
Filesize277KB
MD5eda44d677d19df0a7b4133f6868452ae
SHA16446040c726f5936045ff83a6cfe9414bd3459d6
SHA2562b762f3bb41c315c3980d3778e1efc453ed857d563165a4cdc58c844d7fe7a35
SHA512cc3eee000a4fe203149ab3eee9658169bb4eda4cfeae2cd75a5029b73091708cfcf23b52e9031dd98039b2043387fb84c9610dc2e6662347b9749b1dbd66ce28