Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
44s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28/11/2022, 02:26
Static task
static1
Behavioral task
behavioral1
Sample
6700460ad1bf7e93b4119216fe80f2b3d79110612e239bf691f2ee5f93fbda7f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6700460ad1bf7e93b4119216fe80f2b3d79110612e239bf691f2ee5f93fbda7f.exe
Resource
win10v2004-20220901-en
General
-
Target
6700460ad1bf7e93b4119216fe80f2b3d79110612e239bf691f2ee5f93fbda7f.exe
-
Size
559KB
-
MD5
7767886f33d05e61fcf1fa4d4e7624dd
-
SHA1
d80909e4b2ee6caae7c47feac3aa9ac2c8910082
-
SHA256
6700460ad1bf7e93b4119216fe80f2b3d79110612e239bf691f2ee5f93fbda7f
-
SHA512
8168b78b0a528d9b4dc7ef26bc2b0838300dc65f345bf77baba9892166be299ab17db089f764253219c19b28251988dd25113ca3448d6425af0bb89de70834cf
-
SSDEEP
12288:3/aUsuYachgVK4vXc+MjRWsx7VCzCGkAUKrrw5z0C5Sytl52:PaUxvxK4vcHWsJgKA5rrwm/yf52
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 972 user.exe -
Loads dropped DLL 4 IoCs
pid Process 1948 6700460ad1bf7e93b4119216fe80f2b3d79110612e239bf691f2ee5f93fbda7f.exe 1948 6700460ad1bf7e93b4119216fe80f2b3d79110612e239bf691f2ee5f93fbda7f.exe 1948 6700460ad1bf7e93b4119216fe80f2b3d79110612e239bf691f2ee5f93fbda7f.exe 1948 6700460ad1bf7e93b4119216fe80f2b3d79110612e239bf691f2ee5f93fbda7f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 972 user.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 972 user.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1988 DllHost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1948 wrote to memory of 972 1948 6700460ad1bf7e93b4119216fe80f2b3d79110612e239bf691f2ee5f93fbda7f.exe 27 PID 1948 wrote to memory of 972 1948 6700460ad1bf7e93b4119216fe80f2b3d79110612e239bf691f2ee5f93fbda7f.exe 27 PID 1948 wrote to memory of 972 1948 6700460ad1bf7e93b4119216fe80f2b3d79110612e239bf691f2ee5f93fbda7f.exe 27 PID 1948 wrote to memory of 972 1948 6700460ad1bf7e93b4119216fe80f2b3d79110612e239bf691f2ee5f93fbda7f.exe 27 PID 1948 wrote to memory of 972 1948 6700460ad1bf7e93b4119216fe80f2b3d79110612e239bf691f2ee5f93fbda7f.exe 27 PID 1948 wrote to memory of 972 1948 6700460ad1bf7e93b4119216fe80f2b3d79110612e239bf691f2ee5f93fbda7f.exe 27 PID 1948 wrote to memory of 972 1948 6700460ad1bf7e93b4119216fe80f2b3d79110612e239bf691f2ee5f93fbda7f.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\6700460ad1bf7e93b4119216fe80f2b3d79110612e239bf691f2ee5f93fbda7f.exe"C:\Users\Admin\AppData\Local\Temp\6700460ad1bf7e93b4119216fe80f2b3d79110612e239bf691f2ee5f93fbda7f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Users\Admin\AppData\Roaming\user.exe"C:\Users\Admin\AppData\Roaming\user.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:972
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:1988
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
195KB
MD55f68b6c6dd21b1d996b7c16122785654
SHA1fef3cb7e6a55b0fdbb765c56802422071c0e7024
SHA256e5b3ab94cd2075853d7fd549a8d38497db44c6ce31c501404ed117ab70b47877
SHA512e7d1f5c5aeaab577e7280c537100f2c4481703e4f57acf3f129d7b5ba93f994dd56d59ac2019e32115d5c7871ac7df1df6c6976333b5548a04321876c7a5bd46
-
Filesize
94KB
MD58c6a3d31c1661c5eef5267ddc71ef1c5
SHA1fc9676459e851a15f5bda588eb5a6054e93d4497
SHA2566bf3f7642e4908fbd220931bc6a0deb3c566149e10da3a0b744cb3cdcbd930d7
SHA512a094573dd8a0844ec280cce8774cb933f76b41d3e2f4a7819e634a38986e87afe9e27908ea9dae718810e3f76c6a8b85e2aeb953adf4a52e8ddd0aabde0f0a45
-
Filesize
94KB
MD58c6a3d31c1661c5eef5267ddc71ef1c5
SHA1fc9676459e851a15f5bda588eb5a6054e93d4497
SHA2566bf3f7642e4908fbd220931bc6a0deb3c566149e10da3a0b744cb3cdcbd930d7
SHA512a094573dd8a0844ec280cce8774cb933f76b41d3e2f4a7819e634a38986e87afe9e27908ea9dae718810e3f76c6a8b85e2aeb953adf4a52e8ddd0aabde0f0a45
-
Filesize
94KB
MD58c6a3d31c1661c5eef5267ddc71ef1c5
SHA1fc9676459e851a15f5bda588eb5a6054e93d4497
SHA2566bf3f7642e4908fbd220931bc6a0deb3c566149e10da3a0b744cb3cdcbd930d7
SHA512a094573dd8a0844ec280cce8774cb933f76b41d3e2f4a7819e634a38986e87afe9e27908ea9dae718810e3f76c6a8b85e2aeb953adf4a52e8ddd0aabde0f0a45
-
Filesize
94KB
MD58c6a3d31c1661c5eef5267ddc71ef1c5
SHA1fc9676459e851a15f5bda588eb5a6054e93d4497
SHA2566bf3f7642e4908fbd220931bc6a0deb3c566149e10da3a0b744cb3cdcbd930d7
SHA512a094573dd8a0844ec280cce8774cb933f76b41d3e2f4a7819e634a38986e87afe9e27908ea9dae718810e3f76c6a8b85e2aeb953adf4a52e8ddd0aabde0f0a45
-
Filesize
94KB
MD58c6a3d31c1661c5eef5267ddc71ef1c5
SHA1fc9676459e851a15f5bda588eb5a6054e93d4497
SHA2566bf3f7642e4908fbd220931bc6a0deb3c566149e10da3a0b744cb3cdcbd930d7
SHA512a094573dd8a0844ec280cce8774cb933f76b41d3e2f4a7819e634a38986e87afe9e27908ea9dae718810e3f76c6a8b85e2aeb953adf4a52e8ddd0aabde0f0a45
-
Filesize
94KB
MD58c6a3d31c1661c5eef5267ddc71ef1c5
SHA1fc9676459e851a15f5bda588eb5a6054e93d4497
SHA2566bf3f7642e4908fbd220931bc6a0deb3c566149e10da3a0b744cb3cdcbd930d7
SHA512a094573dd8a0844ec280cce8774cb933f76b41d3e2f4a7819e634a38986e87afe9e27908ea9dae718810e3f76c6a8b85e2aeb953adf4a52e8ddd0aabde0f0a45