Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

71f1495376...77.exe

windows7-x64

7

71f1495376...77.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/11/2022, 03:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    71f14953764dc352252bb0a19c5861b6262292ea85e1bd2a516b9737bcdf9877.exe

  • Size

    2.9MB

  • MD5

    ea9907d0308098c06897412307dc115e

  • SHA1

    89b1ab33286e461d8878ad2381a47fb3d612579a

  • SHA256

    71f14953764dc352252bb0a19c5861b6262292ea85e1bd2a516b9737bcdf9877

  • SHA512

    1c0f63b0d9a4607cec12d32ddf82484ff07da27e17ef40afe498a0880e500d77d74b58036f42db740a8ca76bc10d6c53ef806d39209b5cfbf5c905234ba3ff0d

  • SSDEEP

    49152:EGM4GOrnHwDQSkRfYNjX5+nCi1a67GV+d4L28hUZzqmZxPHvLm48fXq7N4:RDGnkRWN+Ci067DeL2iUZz9ZdvyjfXMW

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\71f14953764dc352252bb0a19c5861b6262292ea85e1bd2a516b9737bcdf9877.exe
    "C:\Users\Admin\AppData\Local\Temp\71f14953764dc352252bb0a19c5861b6262292ea85e1bd2a516b9737bcdf9877.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1544
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1060
      2⤵
      • Program crash
      PID:1900
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1060
      2⤵
      • Program crash
      PID:4644
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1544 -ip 1544
    1⤵
      PID:1728
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k netsvcs -p
      1⤵
      • Drops file in System32 directory
      • Checks processor information in registry
      • Enumerates system info in registry
      PID:4916

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\112723191329\LZMA.dll
      Filesize

      67KB

      MD5

      d0f2416807f04c559e6394a0a4c7f1d1

      SHA1

      7df43ffa3716156d282b1e37d12dd1122f0a762c

      SHA256

      0fe6a869cf220769a058f8d281f272ef72669e3587673e52b53f3f9650dcf1fc

      SHA512

      8199c967ad813216f2ef3094a7614c9ccc95d35a817fc685cb7823f36cc97f0279bddd0ec0bb8f07ee2445476aaea35548516841ee9cde53a8be395515457799

      Download Submit