Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    26/11/2022, 00:27

General

  • Target

    070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe

  • Size

    10.0MB

  • MD5

    b8c899ad14a17c09d384ab0407493208

  • SHA1

    e892019fac46cefd25ed561b36d1ea279c023ce6

  • SHA256

    070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345

  • SHA512

    a8ab017191401226344cdf5b62cd3ff38876f0afba3bdde56f8540cf98a91b0a4724b9f968d3b6101e1ae9eb08b49e8373caaf206a775964d3345bfe67489877

  • SSDEEP

    1536:D0uOtMg/ShmxlXLaOkaF/KMGHLatFj3BYReOe7g3lvUlQLD/JpD0umXRe5wMvXmE:DjOtKSXugFQ6Fj8eaV7JhGe5wcXjKe

Score
8/10

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe
    "C:\Users\Admin\AppData\Local\Temp\070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      2⤵
      • Maps connected drives based on registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Windows\syswow64\svchost.exe
        C:\Windows\syswow64\svchost.exe
        3⤵
        • Adds policy Run key to start application
        • Drops file in Program Files directory
        • Drops file in Windows directory
        PID:552
    • C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:716
      • C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1596
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
          4⤵
          • Maps connected drives based on registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1748
          • C:\Windows\syswow64\svchost.exe
            C:\Windows\syswow64\svchost.exe
            5⤵
            • Drops file in Windows directory
            PID:1184
    • C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:2036

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe

    Filesize

    7KB

    MD5

    445d68e1678bafab128cdf043188dd8a

    SHA1

    3ec4c3b6ca1abab4057ac3a814edf09c1e60dc4e

    SHA256

    db97d9b09dc680b8e7f913241c25b92fdb08cbb0e7d403c30ab41d22d9b58658

    SHA512

    6e9d9d63aaa23d0e361b2340f4439c240f2174ceae682eba78ec7febf26357f2af3007c0c7ab5ce186ab719493dd8d52dda9f1ccb4dda673a139b6cac8662edf

  • C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe

    Filesize

    7KB

    MD5

    445d68e1678bafab128cdf043188dd8a

    SHA1

    3ec4c3b6ca1abab4057ac3a814edf09c1e60dc4e

    SHA256

    db97d9b09dc680b8e7f913241c25b92fdb08cbb0e7d403c30ab41d22d9b58658

    SHA512

    6e9d9d63aaa23d0e361b2340f4439c240f2174ceae682eba78ec7febf26357f2af3007c0c7ab5ce186ab719493dd8d52dda9f1ccb4dda673a139b6cac8662edf

  • C:\Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe

    Filesize

    7KB

    MD5

    445d68e1678bafab128cdf043188dd8a

    SHA1

    3ec4c3b6ca1abab4057ac3a814edf09c1e60dc4e

    SHA256

    db97d9b09dc680b8e7f913241c25b92fdb08cbb0e7d403c30ab41d22d9b58658

    SHA512

    6e9d9d63aaa23d0e361b2340f4439c240f2174ceae682eba78ec7febf26357f2af3007c0c7ab5ce186ab719493dd8d52dda9f1ccb4dda673a139b6cac8662edf

  • C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe

    Filesize

    10.0MB

    MD5

    b8c899ad14a17c09d384ab0407493208

    SHA1

    e892019fac46cefd25ed561b36d1ea279c023ce6

    SHA256

    070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345

    SHA512

    a8ab017191401226344cdf5b62cd3ff38876f0afba3bdde56f8540cf98a91b0a4724b9f968d3b6101e1ae9eb08b49e8373caaf206a775964d3345bfe67489877

  • C:\Users\Admin\AppData\Roaming\Microsoft\secdrv.exe

    Filesize

    10.0MB

    MD5

    b8c899ad14a17c09d384ab0407493208

    SHA1

    e892019fac46cefd25ed561b36d1ea279c023ce6

    SHA256

    070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345

    SHA512

    a8ab017191401226344cdf5b62cd3ff38876f0afba3bdde56f8540cf98a91b0a4724b9f968d3b6101e1ae9eb08b49e8373caaf206a775964d3345bfe67489877

  • \Users\Admin\AppData\Roaming\Microsoft\LookupSvi.exe

    Filesize

    7KB

    MD5

    445d68e1678bafab128cdf043188dd8a

    SHA1

    3ec4c3b6ca1abab4057ac3a814edf09c1e60dc4e

    SHA256

    db97d9b09dc680b8e7f913241c25b92fdb08cbb0e7d403c30ab41d22d9b58658

    SHA512

    6e9d9d63aaa23d0e361b2340f4439c240f2174ceae682eba78ec7febf26357f2af3007c0c7ab5ce186ab719493dd8d52dda9f1ccb4dda673a139b6cac8662edf

  • \Users\Admin\AppData\Roaming\Microsoft\secdrv.exe

    Filesize

    10.0MB

    MD5

    b8c899ad14a17c09d384ab0407493208

    SHA1

    e892019fac46cefd25ed561b36d1ea279c023ce6

    SHA256

    070bc26b289a9c1b596772006af1c241ed0ebfb0fee1c0152157973ef61bb345

    SHA512

    a8ab017191401226344cdf5b62cd3ff38876f0afba3bdde56f8540cf98a91b0a4724b9f968d3b6101e1ae9eb08b49e8373caaf206a775964d3345bfe67489877

  • memory/552-69-0x0000000000090000-0x0000000000098000-memory.dmp

    Filesize

    32KB

  • memory/552-70-0x0000000000020000-0x0000000000025000-memory.dmp

    Filesize

    20KB

  • memory/552-78-0x0000000000020000-0x0000000000025000-memory.dmp

    Filesize

    20KB

  • memory/716-80-0x0000000074760000-0x0000000074D0B000-memory.dmp

    Filesize

    5.7MB

  • memory/716-67-0x0000000074760000-0x0000000074D0B000-memory.dmp

    Filesize

    5.7MB

  • memory/716-77-0x0000000074760000-0x0000000074D0B000-memory.dmp

    Filesize

    5.7MB

  • memory/1104-56-0x0000000074760000-0x0000000074D0B000-memory.dmp

    Filesize

    5.7MB

  • memory/1104-55-0x0000000074760000-0x0000000074D0B000-memory.dmp

    Filesize

    5.7MB

  • memory/1104-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

    Filesize

    8KB

  • memory/1184-91-0x0000000000020000-0x0000000000025000-memory.dmp

    Filesize

    20KB

  • memory/1184-92-0x0000000000020000-0x0000000000025000-memory.dmp

    Filesize

    20KB

  • memory/1372-60-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

  • memory/1372-58-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

  • memory/1372-57-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

  • memory/1596-79-0x0000000074760000-0x0000000074D0B000-memory.dmp

    Filesize

    5.7MB

  • memory/1596-76-0x0000000074760000-0x0000000074D0B000-memory.dmp

    Filesize

    5.7MB

  • memory/2036-89-0x0000000074760000-0x0000000074D0B000-memory.dmp

    Filesize

    5.7MB

  • memory/2036-93-0x0000000074760000-0x0000000074D0B000-memory.dmp

    Filesize

    5.7MB