Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
176s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26/11/2022, 07:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c911931abc119b6cc53a934ba0ea7da27a10aa19cf898fb82607ea7f057175f9.exe
Resource
win7-20221111-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
c911931abc119b6cc53a934ba0ea7da27a10aa19cf898fb82607ea7f057175f9.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
c911931abc119b6cc53a934ba0ea7da27a10aa19cf898fb82607ea7f057175f9.exe
-
Size
221KB
-
MD5
596750f8bc7c1b8d15e2ed18995cb167
-
SHA1
a3adcd5f65d303a566206696ab4b02150a9ecc97
-
SHA256
c911931abc119b6cc53a934ba0ea7da27a10aa19cf898fb82607ea7f057175f9
-
SHA512
72f3ffde1db036fbdf1cbfabc5d7dd84f284f1607f60b9e8756be4106217a8cf1db003e3dbf86f9a593dea6f36f8c130eccfe662ef43514e64d327dd3ed282fb
-
SSDEEP
6144:pwHys8jsO3Mor+1MfgdCVtoAmNS3MECTphNDv3:SqsOTrEouCVtoq8ECTphN/
Score
10/10
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 1544 c911931abc119b6cc53a934ba0ea7da27a10aa19cf898fb82607ea7f057175f9.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\f5ea51da = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{57658914-EAB5-45F3-B4F9-308E9455EB1E}\\f5ea51da.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f5ea51da = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{57658914-EAB5-45F3-B4F9-308E9455EB1E}\\f5ea51da.exe" explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1544 set thread context of 796 1544 c911931abc119b6cc53a934ba0ea7da27a10aa19cf898fb82607ea7f057175f9.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1280 Process not Found -
Suspicious behavior: MapViewOfSection 26 IoCs
pid Process 796 c911931abc119b6cc53a934ba0ea7da27a10aa19cf898fb82607ea7f057175f9.exe 796 c911931abc119b6cc53a934ba0ea7da27a10aa19cf898fb82607ea7f057175f9.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 768 explorer.exe Token: SeDebugPrivilege 768 explorer.exe Token: SeDebugPrivilege 768 explorer.exe Token: SeDebugPrivilege 768 explorer.exe Token: SeDebugPrivilege 768 explorer.exe Token: SeDebugPrivilege 768 explorer.exe Token: SeDebugPrivilege 768 explorer.exe Token: SeDebugPrivilege 768 explorer.exe Token: SeDebugPrivilege 768 explorer.exe Token: SeDebugPrivilege 768 explorer.exe Token: SeDebugPrivilege 768 explorer.exe Token: SeDebugPrivilege 768 explorer.exe Token: SeDebugPrivilege 768 explorer.exe Token: SeDebugPrivilege 768 explorer.exe Token: SeDebugPrivilege 768 explorer.exe Token: SeDebugPrivilege 768 explorer.exe Token: SeDebugPrivilege 768 explorer.exe Token: SeDebugPrivilege 768 explorer.exe Token: SeDebugPrivilege 768 explorer.exe Token: SeDebugPrivilege 768 explorer.exe Token: SeDebugPrivilege 768 explorer.exe Token: SeDebugPrivilege 768 explorer.exe Token: SeDebugPrivilege 768 explorer.exe Token: SeDebugPrivilege 768 explorer.exe Token: SeDebugPrivilege 768 explorer.exe Token: SeDebugPrivilege 768 explorer.exe Token: SeDebugPrivilege 768 explorer.exe Token: SeAssignPrimaryTokenPrivilege 872 Process not Found Token: SeIncreaseQuotaPrivilege 872 Process not Found Token: SeSecurityPrivilege 872 Process not Found Token: SeTakeOwnershipPrivilege 872 Process not Found Token: SeLoadDriverPrivilege 872 Process not Found Token: SeRestorePrivilege 872 Process not Found Token: SeSystemEnvironmentPrivilege 872 Process not Found Token: SeAssignPrimaryTokenPrivilege 872 Process not Found Token: SeIncreaseQuotaPrivilege 872 Process not Found Token: SeSecurityPrivilege 872 Process not Found Token: SeTakeOwnershipPrivilege 872 Process not Found Token: SeLoadDriverPrivilege 872 Process not Found Token: SeSystemtimePrivilege 872 Process not Found Token: SeBackupPrivilege 872 Process not Found Token: SeRestorePrivilege 872 Process not Found Token: SeShutdownPrivilege 872 Process not Found Token: SeSystemEnvironmentPrivilege 872 Process not Found Token: SeUndockPrivilege 872 Process not Found Token: SeManageVolumePrivilege 872 Process not Found Token: SeAssignPrimaryTokenPrivilege 872 Process not Found Token: SeIncreaseQuotaPrivilege 872 Process not Found Token: SeSecurityPrivilege 872 Process not Found Token: SeTakeOwnershipPrivilege 872 Process not Found Token: SeLoadDriverPrivilege 872 Process not Found Token: SeRestorePrivilege 872 Process not Found Token: SeSystemEnvironmentPrivilege 872 Process not Found Token: SeAssignPrimaryTokenPrivilege 872 Process not Found Token: SeIncreaseQuotaPrivilege 872 Process not Found Token: SeSecurityPrivilege 872 Process not Found Token: SeTakeOwnershipPrivilege 872 Process not Found Token: SeLoadDriverPrivilege 872 Process not Found Token: SeRestorePrivilege 872 Process not Found Token: SeSystemEnvironmentPrivilege 872 Process not Found Token: SeAssignPrimaryTokenPrivilege 872 Process not Found Token: SeIncreaseQuotaPrivilege 872 Process not Found Token: SeSecurityPrivilege 872 Process not Found Token: SeTakeOwnershipPrivilege 872 Process not Found -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1280 Process not Found 1280 Process not Found -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1280 Process not Found 1280 Process not Found -
Suspicious use of UnmapMainImage 6 IoCs
pid Process 800 Process not Found 800 Process not Found 800 Process not Found 800 Process not Found 800 Process not Found 800 Process not Found -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1544 wrote to memory of 796 1544 c911931abc119b6cc53a934ba0ea7da27a10aa19cf898fb82607ea7f057175f9.exe 28 PID 1544 wrote to memory of 796 1544 c911931abc119b6cc53a934ba0ea7da27a10aa19cf898fb82607ea7f057175f9.exe 28 PID 1544 wrote to memory of 796 1544 c911931abc119b6cc53a934ba0ea7da27a10aa19cf898fb82607ea7f057175f9.exe 28 PID 1544 wrote to memory of 796 1544 c911931abc119b6cc53a934ba0ea7da27a10aa19cf898fb82607ea7f057175f9.exe 28 PID 1544 wrote to memory of 796 1544 c911931abc119b6cc53a934ba0ea7da27a10aa19cf898fb82607ea7f057175f9.exe 28 PID 1544 wrote to memory of 796 1544 c911931abc119b6cc53a934ba0ea7da27a10aa19cf898fb82607ea7f057175f9.exe 28 PID 1544 wrote to memory of 796 1544 c911931abc119b6cc53a934ba0ea7da27a10aa19cf898fb82607ea7f057175f9.exe 28 PID 1544 wrote to memory of 796 1544 c911931abc119b6cc53a934ba0ea7da27a10aa19cf898fb82607ea7f057175f9.exe 28 PID 1544 wrote to memory of 796 1544 c911931abc119b6cc53a934ba0ea7da27a10aa19cf898fb82607ea7f057175f9.exe 28 PID 1544 wrote to memory of 796 1544 c911931abc119b6cc53a934ba0ea7da27a10aa19cf898fb82607ea7f057175f9.exe 28 PID 1544 wrote to memory of 796 1544 c911931abc119b6cc53a934ba0ea7da27a10aa19cf898fb82607ea7f057175f9.exe 28 PID 796 wrote to memory of 768 796 c911931abc119b6cc53a934ba0ea7da27a10aa19cf898fb82607ea7f057175f9.exe 29 PID 796 wrote to memory of 768 796 c911931abc119b6cc53a934ba0ea7da27a10aa19cf898fb82607ea7f057175f9.exe 29 PID 796 wrote to memory of 768 796 c911931abc119b6cc53a934ba0ea7da27a10aa19cf898fb82607ea7f057175f9.exe 29 PID 796 wrote to memory of 768 796 c911931abc119b6cc53a934ba0ea7da27a10aa19cf898fb82607ea7f057175f9.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\c911931abc119b6cc53a934ba0ea7da27a10aa19cf898fb82607ea7f057175f9.exe"C:\Users\Admin\AppData\Local\Temp\c911931abc119b6cc53a934ba0ea7da27a10aa19cf898fb82607ea7f057175f9.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\c911931abc119b6cc53a934ba0ea7da27a10aa19cf898fb82607ea7f057175f9.exe"C:\Users\Admin\AppData\Local\Temp\c911931abc119b6cc53a934ba0ea7da27a10aa19cf898fb82607ea7f057175f9.exe"2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:768
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD58c31c49be6cbaeebcbf9704bb2ac9829
SHA18fb33105b56c1aa8f52ab661b8af14df8f2b3bd3
SHA256966569e692689d1c809168820db467d10d0cd53a70ac25969e2cd5221c99dec5
SHA512a39333d1d801eafe00abc406f6e08942dc6f32ab4a3c2368d3648cae28856786e20ae5f8769a04c40ef561d5c6c7f4eb0e70fd5124136113e595c47532be81bf