Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
44s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
27/11/2022, 07:08
Static task
static1
Behavioral task
behavioral1
Sample
7b536a34adb465e42395cca862cedf6f53ed26b4a227bad6d7dfa509683c69a4.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
7b536a34adb465e42395cca862cedf6f53ed26b4a227bad6d7dfa509683c69a4.exe
Resource
win10v2004-20221111-en
General
-
Target
7b536a34adb465e42395cca862cedf6f53ed26b4a227bad6d7dfa509683c69a4.exe
-
Size
3.5MB
-
MD5
03d9bd5b2e777234ed9abb531795a432
-
SHA1
4ce18554eae7a948685581cbb54629b5bb9323e1
-
SHA256
7b536a34adb465e42395cca862cedf6f53ed26b4a227bad6d7dfa509683c69a4
-
SHA512
3e738fe8469d85d51d94e75c81847eb3f461a1ca1c22e4eff599e0651dd38f8b9d6568907e88d4070d66d1501687bf63a13fa802215369ec3d2c6647d5acdbe3
-
SSDEEP
98304:RDGnkRWN+Ci067DeL2iUZz9ZdvyjfXMNgvHNIekdwLg:gN+Cw62Nrv0fXMNetIPwLg
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 1352 7b536a34adb465e42395cca862cedf6f53ed26b4a227bad6d7dfa509683c69a4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 992 1352 WerFault.exe 25 -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1352 7b536a34adb465e42395cca862cedf6f53ed26b4a227bad6d7dfa509683c69a4.exe 1352 7b536a34adb465e42395cca862cedf6f53ed26b4a227bad6d7dfa509683c69a4.exe 1352 7b536a34adb465e42395cca862cedf6f53ed26b4a227bad6d7dfa509683c69a4.exe 1352 7b536a34adb465e42395cca862cedf6f53ed26b4a227bad6d7dfa509683c69a4.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1352 wrote to memory of 992 1352 7b536a34adb465e42395cca862cedf6f53ed26b4a227bad6d7dfa509683c69a4.exe 26 PID 1352 wrote to memory of 992 1352 7b536a34adb465e42395cca862cedf6f53ed26b4a227bad6d7dfa509683c69a4.exe 26 PID 1352 wrote to memory of 992 1352 7b536a34adb465e42395cca862cedf6f53ed26b4a227bad6d7dfa509683c69a4.exe 26 PID 1352 wrote to memory of 992 1352 7b536a34adb465e42395cca862cedf6f53ed26b4a227bad6d7dfa509683c69a4.exe 26
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b536a34adb465e42395cca862cedf6f53ed26b4a227bad6d7dfa509683c69a4.exe"C:\Users\Admin\AppData\Local\Temp\7b536a34adb465e42395cca862cedf6f53ed26b4a227bad6d7dfa509683c69a4.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 4602⤵
- Program crash
PID:992
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5d0f2416807f04c559e6394a0a4c7f1d1
SHA17df43ffa3716156d282b1e37d12dd1122f0a762c
SHA2560fe6a869cf220769a058f8d281f272ef72669e3587673e52b53f3f9650dcf1fc
SHA5128199c967ad813216f2ef3094a7614c9ccc95d35a817fc685cb7823f36cc97f0279bddd0ec0bb8f07ee2445476aaea35548516841ee9cde53a8be395515457799