Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
189s -
max time network
87s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25/11/2022, 17:03
Static task
static1
Behavioral task
behavioral1
Sample
5c1fde5711e603055eda9c5c45df3699a770bffc5498331db5f51963cedd0c5c.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
5c1fde5711e603055eda9c5c45df3699a770bffc5498331db5f51963cedd0c5c.exe
Resource
win10v2004-20221111-en
General
-
Target
5c1fde5711e603055eda9c5c45df3699a770bffc5498331db5f51963cedd0c5c.exe
-
Size
585KB
-
MD5
593c49bcff04c91af78483c1d8d87cbd
-
SHA1
15499641c22650e742a2497b81de0fec8a6a5f84
-
SHA256
5c1fde5711e603055eda9c5c45df3699a770bffc5498331db5f51963cedd0c5c
-
SHA512
9523027b47ee703211fb69858fa9213087c01186586a94d10f678ef35929fc211eea1be8e0acd285e44d9c96b1ee950ea280ee1fc547a1c861ae32c5923fbdaf
-
SSDEEP
12288:YsTrR2sP7XY655ig1Gi9iDen9Fsl7ut0ZOwRdu+qMd0QZh9u:YsTrR5P7XY655ig1Gi9iDen9s7utuvvu
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1016 image.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 860 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7e2ffce1a32cea53c8ed10142ed958be.exe image.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7e2ffce1a32cea53c8ed10142ed958be.exe image.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\7e2ffce1a32cea53c8ed10142ed958be = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\image.exe\" .." image.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7e2ffce1a32cea53c8ed10142ed958be = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\image.exe\" .." image.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 1016 image.exe Token: 33 1016 image.exe Token: SeIncBasePriorityPrivilege 1016 image.exe Token: 33 1016 image.exe Token: SeIncBasePriorityPrivilege 1016 image.exe Token: 33 1016 image.exe Token: SeIncBasePriorityPrivilege 1016 image.exe Token: 33 1016 image.exe Token: SeIncBasePriorityPrivilege 1016 image.exe Token: 33 1016 image.exe Token: SeIncBasePriorityPrivilege 1016 image.exe Token: 33 1016 image.exe Token: SeIncBasePriorityPrivilege 1016 image.exe Token: 33 1016 image.exe Token: SeIncBasePriorityPrivilege 1016 image.exe Token: 33 1016 image.exe Token: SeIncBasePriorityPrivilege 1016 image.exe Token: 33 1016 image.exe Token: SeIncBasePriorityPrivilege 1016 image.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 316 wrote to memory of 1016 316 5c1fde5711e603055eda9c5c45df3699a770bffc5498331db5f51963cedd0c5c.exe 28 PID 316 wrote to memory of 1016 316 5c1fde5711e603055eda9c5c45df3699a770bffc5498331db5f51963cedd0c5c.exe 28 PID 316 wrote to memory of 1016 316 5c1fde5711e603055eda9c5c45df3699a770bffc5498331db5f51963cedd0c5c.exe 28 PID 1016 wrote to memory of 860 1016 image.exe 29 PID 1016 wrote to memory of 860 1016 image.exe 29 PID 1016 wrote to memory of 860 1016 image.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c1fde5711e603055eda9c5c45df3699a770bffc5498331db5f51963cedd0c5c.exe"C:\Users\Admin\AppData\Local\Temp\5c1fde5711e603055eda9c5c45df3699a770bffc5498331db5f51963cedd0c5c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Users\Admin\AppData\Local\Temp\image.exe"C:\Users\Admin\AppData\Local\Temp\image.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\image.exe" "image.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:860
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
585KB
MD5593c49bcff04c91af78483c1d8d87cbd
SHA115499641c22650e742a2497b81de0fec8a6a5f84
SHA2565c1fde5711e603055eda9c5c45df3699a770bffc5498331db5f51963cedd0c5c
SHA5129523027b47ee703211fb69858fa9213087c01186586a94d10f678ef35929fc211eea1be8e0acd285e44d9c96b1ee950ea280ee1fc547a1c861ae32c5923fbdaf
-
Filesize
585KB
MD5593c49bcff04c91af78483c1d8d87cbd
SHA115499641c22650e742a2497b81de0fec8a6a5f84
SHA2565c1fde5711e603055eda9c5c45df3699a770bffc5498331db5f51963cedd0c5c
SHA5129523027b47ee703211fb69858fa9213087c01186586a94d10f678ef35929fc211eea1be8e0acd285e44d9c96b1ee950ea280ee1fc547a1c861ae32c5923fbdaf