Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    46s
  • max time network
    99s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    27/11/2022, 23:14 UTC

General

  • Target

    91838ded730ffd48d49683cc3ab0e50576a6465792755ec8062fabb570f33f08.exe

  • Size

    512KB

  • MD5

    fda1dc5e8f4e40efec507a9f55e8adec

  • SHA1

    2cc06112f8f338dc0f3684af44f02abc5b6a8e10

  • SHA256

    91838ded730ffd48d49683cc3ab0e50576a6465792755ec8062fabb570f33f08

  • SHA512

    5a42443ac1719941219a8ef810128251f314dda7ae8e7b4d24dcf86b74a51d62dd09ab44be425aa7c0c795a85185b29415e4a68a72d39b9f6e8b55a1fcfc550d

  • SSDEEP

    12288:0+h9St2Ma70zIIc91Dwws4zruXic2O/3E49:0+h9OY70z+warul3E49

Score
9/10

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\91838ded730ffd48d49683cc3ab0e50576a6465792755ec8062fabb570f33f08.exe
    "C:\Users\Admin\AppData\Local\Temp\91838ded730ffd48d49683cc3ab0e50576a6465792755ec8062fabb570f33f08.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Loads dropped DLL
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1308
    • C:\Users\Admin\AppData\Local\Temp\n7385\s7385.exe
      "C:\Users\Admin\AppData\Local\Temp\n7385\s7385.exe" 3bf59e10a7ea6222772cf88fyCuC2vGaI5uHmeNYJdPf99Xklrgj96Kvr7CnrEH9CHec2BtvT9xwKPtj4Px6zJRwXjgK3j85JGKRpvF1sjRw2lfxpDraUfU1TR75y7bF4XmvLofLrkEJtufHbEG+hUnFyAlkwPQHZmPuyd75f6lW61AO /v "C:\Users\Admin\AppData\Local\Temp\91838ded730ffd48d49683cc3ab0e50576a6465792755ec8062fabb570f33f08.exe"
      2⤵
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:308

Network

  • flag-unknown
    DNS
    ocsp.thawte.com
    s7385.exe
    Remote address:
    8.8.8.8:53
    Request
    ocsp.thawte.com
    IN A
    Response
    ocsp.thawte.com
    IN CNAME
    ocsp-ds.ws.symantec.com.edgekey.net
    ocsp-ds.ws.symantec.com.edgekey.net
    IN CNAME
    e8218.dscb1.akamaiedge.net
    e8218.dscb1.akamaiedge.net
    IN A
    23.51.123.27
  • flag-unknown
    GET
    http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D
    s7385.exe
    Remote address:
    23.51.123.27:80
    Request
    GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: ocsp.thawte.com
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: application/ocsp-response
    Content-Length: 5
    Cache-Control: public, max-age=300
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Date: Tue, 29 Nov 2022 00:46:48 GMT
    Connection: keep-alive
  • flag-unknown
    GET
    http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D
    s7385.exe
    Remote address:
    23.51.123.27:80
    Request
    GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: ocsp.thawte.com
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: application/ocsp-response
    Content-Length: 5
    Cache-Control: public, max-age=300
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Date: Tue, 29 Nov 2022 00:46:49 GMT
    Connection: keep-alive
  • flag-unknown
    DNS
    crl.thawte.com
    s7385.exe
    Remote address:
    8.8.8.8:53
    Request
    crl.thawte.com
    IN A
    Response
    crl.thawte.com
    IN CNAME
    crl-symcprod.digicert.com
    crl-symcprod.digicert.com
    IN CNAME
    cs9.wac.phicdn.net
    cs9.wac.phicdn.net
    IN A
    72.21.91.29
  • flag-unknown
    GET
    http://crl.thawte.com/ThawtePCA.crl
    s7385.exe
    Remote address:
    72.21.91.29:80
    Request
    GET /ThawtePCA.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: crl.thawte.com
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Age: 3523
    Cache-Control: public, max-age=3600
    Content-Type: application/pkix-crl
    Date: Tue, 29 Nov 2022 00:46:49 GMT
    Last-Modified: Mon, 28 Nov 2022 23:48:06 GMT
    Server: ECS (bsa/EB21)
    X-Cache: HIT
    X-Content-Type-Options: nosniff
    X-Frame-Options: SAMEORIGIN
    X-XSS-Protection: 1; mode=block
    Content-Length: 604
  • flag-unknown
    DNS
    th.symcd.com
    s7385.exe
    Remote address:
    8.8.8.8:53
    Request
    th.symcd.com
    IN A
    Response
    th.symcd.com
    IN CNAME
    ocsp-ds.ws.symantec.com.edgekey.net
    ocsp-ds.ws.symantec.com.edgekey.net
    IN CNAME
    e8218.dscb1.akamaiedge.net
    e8218.dscb1.akamaiedge.net
    IN A
    23.51.123.27
  • flag-unknown
    GET
    http://th.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEH1FCfATdbNJ8t5mvxWkjNc%3D
    s7385.exe
    Remote address:
    23.51.123.27:80
    Request
    GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEH1FCfATdbNJ8t5mvxWkjNc%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: th.symcd.com
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: application/ocsp-response
    Content-Length: 1441
    Cache-Control: public, max-age=86400
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Date: Tue, 29 Nov 2022 00:46:49 GMT
    Connection: keep-alive
  • flag-unknown
    DNS
    e0fac.northstar.api.socdn.com
    s7385.exe
    Remote address:
    8.8.8.8:53
    Request
    e0fac.northstar.api.socdn.com
    IN A
    Response
    e0fac.northstar.api.socdn.com
    IN CNAME
    615321.parkingcrew.net
    615321.parkingcrew.net
    IN A
    76.223.26.96
    615321.parkingcrew.net
    IN A
    13.248.148.254
  • flag-unknown
    GET
    http://e0fac.northstar.api.socdn.com/installer/5280fdf5-b928-4cc4-9510-17bb0a000013/12848024/config
    s7385.exe
    Remote address:
    76.223.26.96:80
    Request
    GET /installer/5280fdf5-b928-4cc4-9510-17bb0a000013/12848024/config HTTP/1.1
    User-Agent: DownloadMR/3.1.37 (MSIE 9.11;Windows NT 6.1.7601 SP1;WOW64;.NET CLR 2.0.50727 SP2; .NET CLR 3.0 SP2; .NET CLR 3.5 SP1; .NET CLR 4; .NET CLR 4.0;DB IE11;m=System Product Name;u=Admin;northstar;ecc5fae7-ff07-a8a9-c1c2-259a79fe0a76)
    Accept-Language: en-US
    Host: e0fac.northstar.api.socdn.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Tue, 29 Nov 2022 00:46:56 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Server: nginx
    Vary: Accept-Encoding
    Vary: Accept-Encoding
    X-Redirect: zeropark_yahoo
    X-Template: tpl_CleanPeppermintBlack_twoclick
    X-Language: english
    Accept-CH: viewport-width
    Accept-CH: dpr
    Accept-CH: device-memory
    Accept-CH: rtt
    Accept-CH: downlink
    Accept-CH: ect
    Accept-CH: ua
    Accept-CH: ua-full-version
    Accept-CH: ua-platform
    Accept-CH: ua-platform-version
    Accept-CH: ua-arch
    Accept-CH: ua-model
    Accept-CH: ua-mobile
    Accept-CH-Lifetime: 30
  • flag-unknown
    POST
    http://e0fac.northstar.api.socdn.com/installer/5280fdf5-b928-4cc4-9510-17bb0a000013/12848024/event
    s7385.exe
    Remote address:
    76.223.26.96:80
    Request
    POST /installer/5280fdf5-b928-4cc4-9510-17bb0a000013/12848024/event HTTP/1.1
    User-Agent: DownloadMR/3.1.37 (MSIE 9.11;Windows NT 6.1.7601 SP1;WOW64;.NET CLR 2.0.50727 SP2; .NET CLR 3.0 SP2; .NET CLR 3.5 SP1; .NET CLR 4; .NET CLR 4.0;DB IE11;m=System Product Name;u=Admin;northstar;ecc5fae7-ff07-a8a9-c1c2-259a79fe0a76)
    Accept-Language: en-US
    Content-Type: application/x-www-form-urlencoded
    Host: e0fac.northstar.api.socdn.com
    Content-Length: 12683
    Expect: 100-continue
    Response
    HTTP/1.1 403 Forbidden
    Date: Tue, 29 Nov 2022 00:46:57 GMT
    Content-Type: text/html
    Content-Length: 548
    Connection: keep-alive
    Server: nginx
    Vary: Accept-Encoding
  • 23.51.123.27:80
    http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D
    http
    s7385.exe
    789 B
    1.1kB
    6
    6

    HTTP Request

    GET http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D

    HTTP Response

    200

    HTTP Request

    GET http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D

    HTTP Response

    200
  • 72.21.91.29:80
    http://crl.thawte.com/ThawtePCA.crl
    http
    s7385.exe
    409 B
    2.1kB
    6
    4

    HTTP Request

    GET http://crl.thawte.com/ThawtePCA.crl

    HTTP Response

    200
  • 23.51.123.27:80
    http://th.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEH1FCfATdbNJ8t5mvxWkjNc%3D
    http
    s7385.exe
    462 B
    1.9kB
    5
    4

    HTTP Request

    GET http://th.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEH1FCfATdbNJ8t5mvxWkjNc%3D

    HTTP Response

    200
  • 76.223.26.96:80
    http://e0fac.northstar.api.socdn.com/installer/5280fdf5-b928-4cc4-9510-17bb0a000013/12848024/event
    http
    s7385.exe
    14.4kB
    11.0kB
    19
    23

    HTTP Request

    GET http://e0fac.northstar.api.socdn.com/installer/5280fdf5-b928-4cc4-9510-17bb0a000013/12848024/config

    HTTP Response

    200

    HTTP Request

    POST http://e0fac.northstar.api.socdn.com/installer/5280fdf5-b928-4cc4-9510-17bb0a000013/12848024/event

    HTTP Response

    403
  • 8.8.8.8:53
    ocsp.thawte.com
    dns
    s7385.exe
    61 B
    163 B
    1
    1

    DNS Request

    ocsp.thawte.com

    DNS Response

    23.51.123.27

  • 8.8.8.8:53
    crl.thawte.com
    dns
    s7385.exe
    60 B
    144 B
    1
    1

    DNS Request

    crl.thawte.com

    DNS Response

    72.21.91.29

  • 8.8.8.8:53
    th.symcd.com
    dns
    s7385.exe
    58 B
    160 B
    1
    1

    DNS Request

    th.symcd.com

    DNS Response

    23.51.123.27

  • 8.8.8.8:53
    e0fac.northstar.api.socdn.com
    dns
    s7385.exe
    75 B
    143 B
    1
    1

    DNS Request

    e0fac.northstar.api.socdn.com

    DNS Response

    76.223.26.96
    13.248.148.254

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\n7385\s7385.exe

    Filesize

    230KB

    MD5

    abaf13cb23de482dc944ab5b51ca3aac

    SHA1

    76837356db96dd56b647aba60f1adbbdc7b200fe

    SHA256

    b02fad5ac5234401505e1682c86f526951e8ded726687088c30987321f7c105e

    SHA512

    cc2aac30490511e49e1268f5df9139d176a3b849e663ad3b739e2f1cb50a6e084c465772ded5f694d5ec6f19ac40a57e5e64f7c47515f212476c20cbe9d6bce3

  • C:\Users\Admin\AppData\Local\Temp\n7385\s7385.exe

    Filesize

    230KB

    MD5

    abaf13cb23de482dc944ab5b51ca3aac

    SHA1

    76837356db96dd56b647aba60f1adbbdc7b200fe

    SHA256

    b02fad5ac5234401505e1682c86f526951e8ded726687088c30987321f7c105e

    SHA512

    cc2aac30490511e49e1268f5df9139d176a3b849e663ad3b739e2f1cb50a6e084c465772ded5f694d5ec6f19ac40a57e5e64f7c47515f212476c20cbe9d6bce3

  • \Users\Admin\AppData\Local\Temp\n7385\s7385.exe

    Filesize

    230KB

    MD5

    abaf13cb23de482dc944ab5b51ca3aac

    SHA1

    76837356db96dd56b647aba60f1adbbdc7b200fe

    SHA256

    b02fad5ac5234401505e1682c86f526951e8ded726687088c30987321f7c105e

    SHA512

    cc2aac30490511e49e1268f5df9139d176a3b849e663ad3b739e2f1cb50a6e084c465772ded5f694d5ec6f19ac40a57e5e64f7c47515f212476c20cbe9d6bce3

  • \Users\Admin\AppData\Local\Temp\n7385\s7385.exe

    Filesize

    230KB

    MD5

    abaf13cb23de482dc944ab5b51ca3aac

    SHA1

    76837356db96dd56b647aba60f1adbbdc7b200fe

    SHA256

    b02fad5ac5234401505e1682c86f526951e8ded726687088c30987321f7c105e

    SHA512

    cc2aac30490511e49e1268f5df9139d176a3b849e663ad3b739e2f1cb50a6e084c465772ded5f694d5ec6f19ac40a57e5e64f7c47515f212476c20cbe9d6bce3

  • \Users\Admin\AppData\Local\Temp\n7385\s7385.exe

    Filesize

    230KB

    MD5

    abaf13cb23de482dc944ab5b51ca3aac

    SHA1

    76837356db96dd56b647aba60f1adbbdc7b200fe

    SHA256

    b02fad5ac5234401505e1682c86f526951e8ded726687088c30987321f7c105e

    SHA512

    cc2aac30490511e49e1268f5df9139d176a3b849e663ad3b739e2f1cb50a6e084c465772ded5f694d5ec6f19ac40a57e5e64f7c47515f212476c20cbe9d6bce3

  • \Users\Admin\AppData\Local\Temp\n7385\s7385.exe

    Filesize

    230KB

    MD5

    abaf13cb23de482dc944ab5b51ca3aac

    SHA1

    76837356db96dd56b647aba60f1adbbdc7b200fe

    SHA256

    b02fad5ac5234401505e1682c86f526951e8ded726687088c30987321f7c105e

    SHA512

    cc2aac30490511e49e1268f5df9139d176a3b849e663ad3b739e2f1cb50a6e084c465772ded5f694d5ec6f19ac40a57e5e64f7c47515f212476c20cbe9d6bce3

  • memory/308-62-0x000007FEF3C00000-0x000007FEF4623000-memory.dmp

    Filesize

    10.1MB

  • memory/308-63-0x000007FEF2B60000-0x000007FEF3BF6000-memory.dmp

    Filesize

    16.6MB

  • memory/308-64-0x0000000000A86000-0x0000000000AA5000-memory.dmp

    Filesize

    124KB

  • memory/308-65-0x000007FEED510000-0x000007FEEE39F000-memory.dmp

    Filesize

    14.6MB

  • memory/308-66-0x000007FEF2080000-0x000007FEF236A000-memory.dmp

    Filesize

    2.9MB

  • memory/308-67-0x0000000000A86000-0x0000000000AA5000-memory.dmp

    Filesize

    124KB

  • memory/1308-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

    Filesize

    8KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.