Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    27/11/2022, 04:56 UTC

General

  • Target

    4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879.exe

  • Size

    283KB

  • MD5

    2fd3124d005d926474b37989e761b5d7

  • SHA1

    7672db2950da80660eb40e5715c42b6a0d55cff8

  • SHA256

    4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879

  • SHA512

    cf3cffe8dd67473c8cdf4b76cf4126623ed5b8a460f6c8236bde992c28a3a94e49464fb649cfdd36870b7878f160740f381a15ed4ed2c09cd976a3b833ab34ec

  • SSDEEP

    6144:Ty2np1+qX4GIELmfaPPeSm/FGPOG/bKux27:Ty2nP+qX43E6CPPeSmGpxc

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879.exe
    "C:\Users\Admin\AppData\Local\Temp\4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Users\Admin\AppData\Roaming\svhost.exe
      "C:\Users\Admin\AppData\Roaming\svhost.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:936
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svhost.exe" "svhost.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:652

Network

  • flag-unknown
    DNS
    lol-lol.zapto.org
    svhost.exe
    Remote address:
    8.8.8.8:53
    Request
    lol-lol.zapto.org
    IN A
    Response
    lol-lol.zapto.org
    IN A
    0.0.0.0
No results found
  • 8.8.8.8:53
    lol-lol.zapto.org
    dns
    svhost.exe
    63 B
    79 B
    1
    1

    DNS Request

    lol-lol.zapto.org

    DNS Response

    0.0.0.0

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\svhost.exe

    Filesize

    283KB

    MD5

    2fd3124d005d926474b37989e761b5d7

    SHA1

    7672db2950da80660eb40e5715c42b6a0d55cff8

    SHA256

    4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879

    SHA512

    cf3cffe8dd67473c8cdf4b76cf4126623ed5b8a460f6c8236bde992c28a3a94e49464fb649cfdd36870b7878f160740f381a15ed4ed2c09cd976a3b833ab34ec

  • C:\Users\Admin\AppData\Roaming\svhost.exe

    Filesize

    283KB

    MD5

    2fd3124d005d926474b37989e761b5d7

    SHA1

    7672db2950da80660eb40e5715c42b6a0d55cff8

    SHA256

    4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879

    SHA512

    cf3cffe8dd67473c8cdf4b76cf4126623ed5b8a460f6c8236bde992c28a3a94e49464fb649cfdd36870b7878f160740f381a15ed4ed2c09cd976a3b833ab34ec

  • \Users\Admin\AppData\Roaming\svhost.exe

    Filesize

    283KB

    MD5

    2fd3124d005d926474b37989e761b5d7

    SHA1

    7672db2950da80660eb40e5715c42b6a0d55cff8

    SHA256

    4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879

    SHA512

    cf3cffe8dd67473c8cdf4b76cf4126623ed5b8a460f6c8236bde992c28a3a94e49464fb649cfdd36870b7878f160740f381a15ed4ed2c09cd976a3b833ab34ec

  • \Users\Admin\AppData\Roaming\svhost.exe

    Filesize

    283KB

    MD5

    2fd3124d005d926474b37989e761b5d7

    SHA1

    7672db2950da80660eb40e5715c42b6a0d55cff8

    SHA256

    4a3a4dcda0532f1521ae8ebe5efe7ae77c0e51b03c85e46edbc08c9e012ad879

    SHA512

    cf3cffe8dd67473c8cdf4b76cf4126623ed5b8a460f6c8236bde992c28a3a94e49464fb649cfdd36870b7878f160740f381a15ed4ed2c09cd976a3b833ab34ec

  • memory/936-65-0x0000000074BB0000-0x000000007515B000-memory.dmp

    Filesize

    5.7MB

  • memory/936-66-0x0000000074BB0000-0x000000007515B000-memory.dmp

    Filesize

    5.7MB

  • memory/936-67-0x0000000002146000-0x0000000002157000-memory.dmp

    Filesize

    68KB

  • memory/936-68-0x0000000002146000-0x0000000002157000-memory.dmp

    Filesize

    68KB

  • memory/1676-54-0x0000000075C81000-0x0000000075C83000-memory.dmp

    Filesize

    8KB

  • memory/1676-55-0x0000000074BB0000-0x000000007515B000-memory.dmp

    Filesize

    5.7MB

  • memory/1676-62-0x0000000074BB0000-0x000000007515B000-memory.dmp

    Filesize

    5.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.