Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
26/11/2022, 00:27
Static task
static1
Behavioral task
behavioral1
Sample
070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe
Resource
win10v2004-20221111-en
General
-
Target
070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe
-
Size
10.0MB
-
MD5
b8c899ad14a17c09d384ab0407493208
-
SHA1
e892019fac46cefd25ed561b36d1ea279c023ce6
-
SHA256
070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345
-
SHA512
a8ab017191401226344cdf5b62cd3ff38876f0afba3bdde56f8540cf98a91b0a4724b9f968d3b6101e1ae9eb08b49e8373caaf206a775964d3345bfe67489877
-
SSDEEP
1536:D0uOtMg/ShmxlXLaOkaF/KMGHLatFj3BYReOe7g3lvUlQLD/JpD0umXRe5wMvXmE:DjOtKSXugFQ6Fj8eaV7JhGe5wcXjKe
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\19831 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\msoiug.cmd" svchost.exe -
Executes dropped EXE 3 IoCs
pid Process 716 LookupSvi.exe 1596 secdrv.exe 2036 LookupSvi.exe -
Loads dropped DLL 2 IoCs
pid Process 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 716 LookupSvi.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Macrovision Security Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe" LookupSvi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Macrovision Security Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\LookupSvi.exe" LookupSvi.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum vbc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum vbc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 vbc.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1104 set thread context of 1372 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 27 PID 1596 set thread context of 1748 1596 secdrv.exe 32 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\PROGRA~3\LOCALS~1\Temp\msoiug.cmd svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\vbc.exe svchost.exe File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\vbc.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1372 vbc.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 716 LookupSvi.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 716 LookupSvi.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 716 LookupSvi.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 716 LookupSvi.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 716 LookupSvi.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 716 LookupSvi.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 716 LookupSvi.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 716 LookupSvi.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 716 LookupSvi.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 716 LookupSvi.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 716 LookupSvi.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 716 LookupSvi.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 716 LookupSvi.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 1596 secdrv.exe 1748 vbc.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 1372 vbc.exe 1372 vbc.exe 1748 vbc.exe 1748 vbc.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe Token: SeDebugPrivilege 716 LookupSvi.exe Token: SeDebugPrivilege 1596 secdrv.exe Token: SeDebugPrivilege 2036 LookupSvi.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 1104 wrote to memory of 1372 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 27 PID 1104 wrote to memory of 1372 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 27 PID 1104 wrote to memory of 1372 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 27 PID 1104 wrote to memory of 1372 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 27 PID 1104 wrote to memory of 1372 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 27 PID 1104 wrote to memory of 1372 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 27 PID 1104 wrote to memory of 1372 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 27 PID 1372 wrote to memory of 552 1372 vbc.exe 28 PID 1372 wrote to memory of 552 1372 vbc.exe 28 PID 1372 wrote to memory of 552 1372 vbc.exe 28 PID 1372 wrote to memory of 552 1372 vbc.exe 28 PID 1104 wrote to memory of 716 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 29 PID 1104 wrote to memory of 716 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 29 PID 1104 wrote to memory of 716 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 29 PID 1104 wrote to memory of 716 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 29 PID 716 wrote to memory of 1596 716 LookupSvi.exe 30 PID 716 wrote to memory of 1596 716 LookupSvi.exe 30 PID 716 wrote to memory of 1596 716 LookupSvi.exe 30 PID 716 wrote to memory of 1596 716 LookupSvi.exe 30 PID 1104 wrote to memory of 2036 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 31 PID 1104 wrote to memory of 2036 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 31 PID 1104 wrote to memory of 2036 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 31 PID 1104 wrote to memory of 2036 1104 070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe 31 PID 1596 wrote to memory of 1748 1596 secdrv.exe 32 PID 1596 wrote to memory of 1748 1596 secdrv.exe 32 PID 1596 wrote to memory of 1748 1596 secdrv.exe 32 PID 1596 wrote to memory of 1748 1596 secdrv.exe 32 PID 1596 wrote to memory of 1748 1596 secdrv.exe 32 PID 1596 wrote to memory of 1748 1596 secdrv.exe 32 PID 1596 wrote to memory of 1748 1596 secdrv.exe 32 PID 1748 wrote to memory of 1184 1748 vbc.exe 33 PID 1748 wrote to memory of 1184 1748 vbc.exe 33 PID 1748 wrote to memory of 1184 1748 vbc.exe 33 PID 1748 wrote to memory of 1184 1748 vbc.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe"C:\Users\Admin\AppData\Local\Temp\070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- Adds policy Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
PID:552
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe5⤵
- Drops file in Windows directory
PID:1184
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5445d68e1678bafab128cdf043188dd8a
SHA13ec4c3b6ca1abab4057ac3a814edf09c1e60dc4e
SHA256db97d9b09dc680b8e7f913241c25b92fdb08cbb0e7d403c30ab41d22d9b58658
SHA5126e9d9d63aaa23d0e361b2340f4439c240f2174ceae682eba78ec7febf26357f2af3007c0c7ab5ce186ab719493dd8d52dda9f1ccb4dda673a139b6cac8662edf
-
Filesize
7KB
MD5445d68e1678bafab128cdf043188dd8a
SHA13ec4c3b6ca1abab4057ac3a814edf09c1e60dc4e
SHA256db97d9b09dc680b8e7f913241c25b92fdb08cbb0e7d403c30ab41d22d9b58658
SHA5126e9d9d63aaa23d0e361b2340f4439c240f2174ceae682eba78ec7febf26357f2af3007c0c7ab5ce186ab719493dd8d52dda9f1ccb4dda673a139b6cac8662edf
-
Filesize
7KB
MD5445d68e1678bafab128cdf043188dd8a
SHA13ec4c3b6ca1abab4057ac3a814edf09c1e60dc4e
SHA256db97d9b09dc680b8e7f913241c25b92fdb08cbb0e7d403c30ab41d22d9b58658
SHA5126e9d9d63aaa23d0e361b2340f4439c240f2174ceae682eba78ec7febf26357f2af3007c0c7ab5ce186ab719493dd8d52dda9f1ccb4dda673a139b6cac8662edf
-
Filesize
10.0MB
MD5b8c899ad14a17c09d384ab0407493208
SHA1e892019fac46cefd25ed561b36d1ea279c023ce6
SHA256070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345
SHA512a8ab017191401226344cdf5b62cd3ff38876f0afba3bdde56f8540cf98a91b0a4724b9f968d3b6101e1ae9eb08b49e8373caaf206a775964d3345bfe67489877
-
Filesize
10.0MB
MD5b8c899ad14a17c09d384ab0407493208
SHA1e892019fac46cefd25ed561b36d1ea279c023ce6
SHA256070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345
SHA512a8ab017191401226344cdf5b62cd3ff38876f0afba3bdde56f8540cf98a91b0a4724b9f968d3b6101e1ae9eb08b49e8373caaf206a775964d3345bfe67489877
-
Filesize
7KB
MD5445d68e1678bafab128cdf043188dd8a
SHA13ec4c3b6ca1abab4057ac3a814edf09c1e60dc4e
SHA256db97d9b09dc680b8e7f913241c25b92fdb08cbb0e7d403c30ab41d22d9b58658
SHA5126e9d9d63aaa23d0e361b2340f4439c240f2174ceae682eba78ec7febf26357f2af3007c0c7ab5ce186ab719493dd8d52dda9f1ccb4dda673a139b6cac8662edf
-
Filesize
10.0MB
MD5b8c899ad14a17c09d384ab0407493208
SHA1e892019fac46cefd25ed561b36d1ea279c023ce6
SHA256070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345
SHA512a8ab017191401226344cdf5b62cd3ff38876f0afba3bdde56f8540cf98a91b0a4724b9f968d3b6101e1ae9eb08b49e8373caaf206a775964d3345bfe67489877