Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
192s -
max time network
222s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
27/11/2022, 08:43
Static task
static1
Behavioral task
behavioral1
Sample
5fc92308120aa10dc1062c4c319559ed0b1308befe117d5cafa283e245bea1e9.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
5fc92308120aa10dc1062c4c319559ed0b1308befe117d5cafa283e245bea1e9.exe
Resource
win10v2004-20220812-en
General
-
Target
5fc92308120aa10dc1062c4c319559ed0b1308befe117d5cafa283e245bea1e9.exe
-
Size
220KB
-
MD5
941fb1cd3fdab89abc35f0a21abd2f45
-
SHA1
349c15855c91c341db0bc01cc328a17a3554cbc4
-
SHA256
5fc92308120aa10dc1062c4c319559ed0b1308befe117d5cafa283e245bea1e9
-
SHA512
14cf15e0f84f821adfd4dfe3037421291f296e9613db3f77405053e2b4a9a2e18625c2425a56af02bb479ff8e5c6b2eb45808d0054b5dbefd3d9cba213c0ade5
-
SSDEEP
3072:sTVZEA0R5UeyVSzeIw6upojbcbf0L1siwNGRRH9fZvl2hZm6nE:sxWA0EeKvpdbf0L1si9H9fZvj6E
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygamiqog = "C:\\Windows\\iqokolkq.exe" explorer.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5fc92308120aa10dc1062c4c319559ed0b1308befe117d5cafa283e245bea1e9.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 948 set thread context of 1264 948 5fc92308120aa10dc1062c4c319559ed0b1308befe117d5cafa283e245bea1e9.exe 28 -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\iqokolkq.exe explorer.exe File created C:\Windows\iqokolkq.exe explorer.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1188 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 620 vssvc.exe Token: SeRestorePrivilege 620 vssvc.exe Token: SeAuditPrivilege 620 vssvc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 948 wrote to memory of 1264 948 5fc92308120aa10dc1062c4c319559ed0b1308befe117d5cafa283e245bea1e9.exe 28 PID 948 wrote to memory of 1264 948 5fc92308120aa10dc1062c4c319559ed0b1308befe117d5cafa283e245bea1e9.exe 28 PID 948 wrote to memory of 1264 948 5fc92308120aa10dc1062c4c319559ed0b1308befe117d5cafa283e245bea1e9.exe 28 PID 948 wrote to memory of 1264 948 5fc92308120aa10dc1062c4c319559ed0b1308befe117d5cafa283e245bea1e9.exe 28 PID 948 wrote to memory of 1264 948 5fc92308120aa10dc1062c4c319559ed0b1308befe117d5cafa283e245bea1e9.exe 28 PID 1264 wrote to memory of 1188 1264 explorer.exe 29 PID 1264 wrote to memory of 1188 1264 explorer.exe 29 PID 1264 wrote to memory of 1188 1264 explorer.exe 29 PID 1264 wrote to memory of 1188 1264 explorer.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fc92308120aa10dc1062c4c319559ed0b1308befe117d5cafa283e245bea1e9.exe"C:\Users\Admin\AppData\Local\Temp\5fc92308120aa10dc1062c4c319559ed0b1308befe117d5cafa283e245bea1e9.exe"1⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:1188
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:620
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
220KB
MD58564389877e82a2205449cb6315d70b9
SHA10245a1848fe4ca7fea4ca856ec4949ba1000db1f
SHA2568de6491dafa6469b2e75a1a08c417a706b08c46b11faee0295b882ef1c501af3
SHA5120982efc701588dc3b917780f2b8556b83f5cce2db6d1c0a2714d80877cd26981bfecef1b04e9e8093b7f15a4d4e13452a8da4d71b33225f3cfca36b32314c0c5