Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    74s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    27/11/2022, 14:19 UTC

General

  • Target

    85f85f52451a4386000ebb67063103742aa8648d9328ec2a4dec67428ca034ed.exe

  • Size

    419KB

  • MD5

    08693e673d23ac2c0c78b9ef8dabe218

  • SHA1

    b73cccfaf8b4f9ba7645eb8693124b637a8abf8d

  • SHA256

    85f85f52451a4386000ebb67063103742aa8648d9328ec2a4dec67428ca034ed

  • SHA512

    007a302f0a2b64d13f408f3784beca07138b6e80ae464d50e2a43bd1771292e546a68f6a13ac243feaf956ab6d9bd152505ff6e6924f3116e9abfcbcc597cac2

  • SSDEEP

    12288:VHMjpqaCqho40Vxl/RRAvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvf:dcN+Ll/RRw

Score
6/10

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\85f85f52451a4386000ebb67063103742aa8648d9328ec2a4dec67428ca034ed.exe
    "C:\Users\Admin\AppData\Local\Temp\85f85f52451a4386000ebb67063103742aa8648d9328ec2a4dec67428ca034ed.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:240
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Update\Google Update" /XML "C:\Users\Admin\AppData\Local\Temp\a44444.xml"
      2⤵
      • Creates scheduled task(s)
      PID:1980
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\System32\svchost.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:320

Network

  • flag-unknown
    DNS
    jagex1.crabdance.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    jagex1.crabdance.com
    IN A
    Response
    jagex1.crabdance.com
    IN A
    127.0.0.2
  • 127.0.0.2:17777
    svchost.exe
  • 127.0.0.2:17777
    svchost.exe
  • 127.0.0.2:17777
    svchost.exe
  • 127.0.0.2:17777
    svchost.exe
  • 127.0.0.2:17777
    svchost.exe
  • 127.0.0.2:17777
    svchost.exe
  • 127.0.0.2:17777
    svchost.exe
  • 127.0.0.2:17777
    svchost.exe
  • 127.0.0.2:17777
    svchost.exe
  • 127.0.0.2:17777
    svchost.exe
  • 127.0.0.2:17777
    svchost.exe
  • 127.0.0.2:17777
    svchost.exe
  • 127.0.0.2:17777
    svchost.exe
  • 127.0.0.2:17777
    svchost.exe
  • 8.8.8.8:53
    jagex1.crabdance.com
    dns
    svchost.exe
    66 B
    82 B
    1
    1

    DNS Request

    jagex1.crabdance.com

    DNS Response

    127.0.0.2

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\a44444.xml

    Filesize

    1KB

    MD5

    b258c29c3afb1122b924b80ea38c343a

    SHA1

    99f89b3958ac33fa672485d5891b4bb9845d2ef0

    SHA256

    b38fa2612f36f7604ff4c6459805424101fca004922c76b67be5a886bfcba5e9

    SHA512

    7693712218a3807329352dc6d85359df614f0b820dd789da311d3a8abeb25c4b33dd6a9a9b50aaa68fb79af7b74e072ae25ead2c9285ac737c5f1d7b6677ad1c

  • memory/240-54-0x00000000753C1000-0x00000000753C3000-memory.dmp

    Filesize

    8KB

  • memory/240-55-0x00000000742E0000-0x000000007488B000-memory.dmp

    Filesize

    5.7MB

  • memory/240-56-0x00000000742E0000-0x000000007488B000-memory.dmp

    Filesize

    5.7MB

  • memory/240-77-0x00000000742E0000-0x000000007488B000-memory.dmp

    Filesize

    5.7MB

  • memory/320-65-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/320-60-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/320-62-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/320-59-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/320-68-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/320-70-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/320-73-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/320-79-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/320-80-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/320-81-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.