Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
27/11/2022, 04:56
Static task
static1
Behavioral task
behavioral1
Sample
4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879.exe
Resource
win10v2004-20221111-en
General
-
Target
4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879.exe
-
Size
283KB
-
MD5
2fd3124d005d926474b37989e761b5d7
-
SHA1
7672db2950da80660eb40e5715c42b6a0d55cff8
-
SHA256
4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879
-
SHA512
cf3cffe8dd67473c8cdf4b76cf4126623ed5b8a460f6c8236bde992c28a3a94e49464fb649cfdd36870b7878f160740f381a15ed4ed2c09cd976a3b833ab34ec
-
SSDEEP
6144:Ty2np1+qX4GIELmfaPPeSm/FGPOG/bKux27:Ty2nP+qX43E6CPPeSmGpxc
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 936 svhost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 652 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b5857819bb096c04134249d6f4e71934.exe svhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b5857819bb096c04134249d6f4e71934.exe svhost.exe -
Loads dropped DLL 2 IoCs
pid Process 1676 4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879.exe 1676 4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\b5857819bb096c04134249d6f4e71934 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe\" .." svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\b5857819bb096c04134249d6f4e71934 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe\" .." svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 936 svhost.exe 936 svhost.exe 936 svhost.exe 936 svhost.exe 936 svhost.exe 936 svhost.exe 936 svhost.exe 936 svhost.exe 936 svhost.exe 936 svhost.exe 936 svhost.exe 936 svhost.exe 936 svhost.exe 936 svhost.exe 936 svhost.exe 936 svhost.exe 936 svhost.exe 936 svhost.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 1676 4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879.exe Token: 33 1676 4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879.exe Token: SeIncBasePriorityPrivilege 1676 4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879.exe Token: 33 1676 4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879.exe Token: SeIncBasePriorityPrivilege 1676 4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879.exe Token: SeDebugPrivilege 936 svhost.exe Token: 33 936 svhost.exe Token: SeIncBasePriorityPrivilege 936 svhost.exe Token: 33 936 svhost.exe Token: SeIncBasePriorityPrivilege 936 svhost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1676 wrote to memory of 936 1676 4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879.exe 28 PID 1676 wrote to memory of 936 1676 4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879.exe 28 PID 1676 wrote to memory of 936 1676 4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879.exe 28 PID 1676 wrote to memory of 936 1676 4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879.exe 28 PID 936 wrote to memory of 652 936 svhost.exe 29 PID 936 wrote to memory of 652 936 svhost.exe 29 PID 936 wrote to memory of 652 936 svhost.exe 29 PID 936 wrote to memory of 652 936 svhost.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879.exe"C:\Users\Admin\AppData\Local\Temp\4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Users\Admin\AppData\Roaming\svhost.exe"C:\Users\Admin\AppData\Roaming\svhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svhost.exe" "svhost.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:652
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
283KB
MD52fd3124d005d926474b37989e761b5d7
SHA17672db2950da80660eb40e5715c42b6a0d55cff8
SHA2564a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879
SHA512cf3cffe8dd67473c8cdf4b76cf4126623ed5b8a460f6c8236bde992c28a3a94e49464fb649cfdd36870b7878f160740f381a15ed4ed2c09cd976a3b833ab34ec
-
Filesize
283KB
MD52fd3124d005d926474b37989e761b5d7
SHA17672db2950da80660eb40e5715c42b6a0d55cff8
SHA2564a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879
SHA512cf3cffe8dd67473c8cdf4b76cf4126623ed5b8a460f6c8236bde992c28a3a94e49464fb649cfdd36870b7878f160740f381a15ed4ed2c09cd976a3b833ab34ec
-
Filesize
283KB
MD52fd3124d005d926474b37989e761b5d7
SHA17672db2950da80660eb40e5715c42b6a0d55cff8
SHA2564a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879
SHA512cf3cffe8dd67473c8cdf4b76cf4126623ed5b8a460f6c8236bde992c28a3a94e49464fb649cfdd36870b7878f160740f381a15ed4ed2c09cd976a3b833ab34ec
-
Filesize
283KB
MD52fd3124d005d926474b37989e761b5d7
SHA17672db2950da80660eb40e5715c42b6a0d55cff8
SHA2564a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879
SHA512cf3cffe8dd67473c8cdf4b76cf4126623ed5b8a460f6c8236bde992c28a3a94e49464fb649cfdd36870b7878f160740f381a15ed4ed2c09cd976a3b833ab34ec