Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27/11/2022, 22:49
Static task
static1
Behavioral task
behavioral1
Sample
3a7a7727e57608b41e84fb60bccb4767a7f0e36dafcc8db65bf6a11f4a163406.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3a7a7727e57608b41e84fb60bccb4767a7f0e36dafcc8db65bf6a11f4a163406.exe
Resource
win10v2004-20221111-en
General
-
Target
3a7a7727e57608b41e84fb60bccb4767a7f0e36dafcc8db65bf6a11f4a163406.exe
-
Size
4.4MB
-
MD5
fa25ea66f62fc503a570969d431df329
-
SHA1
5127b92b6fb36944c60a090a01a32a4db54eb05e
-
SHA256
3a7a7727e57608b41e84fb60bccb4767a7f0e36dafcc8db65bf6a11f4a163406
-
SHA512
2cf99eae018604bea3865d468ecc56ee7daec9b8e5b20f1cfdca1b6dc4b4ab6309ccc0303227d6623dbaa9398ffa4f5a8a209e4df60429ae50ec4e2cd08489fe
-
SSDEEP
98304:rg56a8oxDqU7uHBUD86gpR0Gc18CZctvldxmcFHj+:U5AwYk8TnjcSCZcGc
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 684 mod.exe 1216 file1.exe -
resource yara_rule behavioral1/files/0x000b000000012311-56.dat upx behavioral1/files/0x000b000000012311-58.dat upx behavioral1/memory/684-59-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/684-64-0x0000000000400000-0x00000000004BA000-memory.dmp upx -
Loads dropped DLL 2 IoCs
pid Process 684 mod.exe 684 mod.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/684-59-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe behavioral1/memory/684-64-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\mod.exe 3a7a7727e57608b41e84fb60bccb4767a7f0e36dafcc8db65bf6a11f4a163406.exe File created C:\Windows\mod.exe 3a7a7727e57608b41e84fb60bccb4767a7f0e36dafcc8db65bf6a11f4a163406.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1216 file1.exe 1216 file1.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1216 file1.exe -
Suspicious use of FindShellTrayWindow 9 IoCs
pid Process 684 mod.exe 684 mod.exe 684 mod.exe 684 mod.exe 1216 file1.exe 1216 file1.exe 1216 file1.exe 1216 file1.exe 1216 file1.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 684 mod.exe 684 mod.exe 684 mod.exe 684 mod.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1584 wrote to memory of 684 1584 3a7a7727e57608b41e84fb60bccb4767a7f0e36dafcc8db65bf6a11f4a163406.exe 28 PID 1584 wrote to memory of 684 1584 3a7a7727e57608b41e84fb60bccb4767a7f0e36dafcc8db65bf6a11f4a163406.exe 28 PID 1584 wrote to memory of 684 1584 3a7a7727e57608b41e84fb60bccb4767a7f0e36dafcc8db65bf6a11f4a163406.exe 28 PID 1584 wrote to memory of 684 1584 3a7a7727e57608b41e84fb60bccb4767a7f0e36dafcc8db65bf6a11f4a163406.exe 28 PID 684 wrote to memory of 1216 684 mod.exe 29 PID 684 wrote to memory of 1216 684 mod.exe 29 PID 684 wrote to memory of 1216 684 mod.exe 29 PID 684 wrote to memory of 1216 684 mod.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a7a7727e57608b41e84fb60bccb4767a7f0e36dafcc8db65bf6a11f4a163406.exe"C:\Users\Admin\AppData\Local\Temp\3a7a7727e57608b41e84fb60bccb4767a7f0e36dafcc8db65bf6a11f4a163406.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\mod.exeC:\Windows/mod.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Users\Admin\AppData\Local\Temp\file1.exeC:\Users\Admin\AppData\Local\Temp\file1.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1216
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.9MB
MD5bb72dc16a5123fc281c3cba1f9746843
SHA1c1c9dab6e287fb4bb54a95bb1ecefa40997b21b5
SHA2567c89916c3627988e90459654de59dedd044517c66399e77dd99eef8c3659f0b5
SHA512cdbdea9ada37d23da8d8a3cb4e77ecd5244d445eba77fa8cd9616dc9fea2ecce0831a6d7689efbfa92c7dc579319a0d3d829c86358fd31bb7efbfea0acd3cc84
-
Filesize
3.5MB
MD542c9cacf190044844c19ec76f15e6751
SHA11d2497ace6a9153f812c49d3160d6ef3bcc3b89f
SHA2567b7b431db27564a24eaaa6db5bff786aff91abf651a578ccff2ada372cb5d7f5
SHA512e850b9d571cc86f31fa3c109c4ac4f769ccd5db2cf1e377d44b4b0f503abce98a11189aa9b9278626ecf2b3969c797b83f584f0432bbd36d347f9beb50770b8c
-
Filesize
3.5MB
MD542c9cacf190044844c19ec76f15e6751
SHA11d2497ace6a9153f812c49d3160d6ef3bcc3b89f
SHA2567b7b431db27564a24eaaa6db5bff786aff91abf651a578ccff2ada372cb5d7f5
SHA512e850b9d571cc86f31fa3c109c4ac4f769ccd5db2cf1e377d44b4b0f503abce98a11189aa9b9278626ecf2b3969c797b83f584f0432bbd36d347f9beb50770b8c
-
Filesize
3.9MB
MD5bb72dc16a5123fc281c3cba1f9746843
SHA1c1c9dab6e287fb4bb54a95bb1ecefa40997b21b5
SHA2567c89916c3627988e90459654de59dedd044517c66399e77dd99eef8c3659f0b5
SHA512cdbdea9ada37d23da8d8a3cb4e77ecd5244d445eba77fa8cd9616dc9fea2ecce0831a6d7689efbfa92c7dc579319a0d3d829c86358fd31bb7efbfea0acd3cc84
-
Filesize
3.9MB
MD5bb72dc16a5123fc281c3cba1f9746843
SHA1c1c9dab6e287fb4bb54a95bb1ecefa40997b21b5
SHA2567c89916c3627988e90459654de59dedd044517c66399e77dd99eef8c3659f0b5
SHA512cdbdea9ada37d23da8d8a3cb4e77ecd5244d445eba77fa8cd9616dc9fea2ecce0831a6d7689efbfa92c7dc579319a0d3d829c86358fd31bb7efbfea0acd3cc84