Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
35s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29/11/2022, 14:28
Static task
static1
Behavioral task
behavioral1
Sample
250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe
Resource
win10v2004-20221111-en
General
-
Target
250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe
-
Size
646KB
-
MD5
4f75a4f0e4223d49c9c1f83eda657087
-
SHA1
70f5045c407146676e55c2311f75adc52851b85b
-
SHA256
250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3
-
SHA512
87b92943e01ac3c3305ddc57d22984401b86577fd081d82d2fb1b102cb8ceb8bc1d2a267934d5c300db7a78fe1c8402844a8321cee0cfc9b727317caa6547f74
-
SSDEEP
12288:b1dlZo5y8E3k12MgGiFELWGgkeMzlELnqRs+gN/61XhhOzkoDQQyazsB3t:b1dlZo51HcKLvcMzlYTBS1Xhhkki6v
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1516 Hackweball.exe 1708 server.exe 568 server.exe -
Loads dropped DLL 5 IoCs
pid Process 1536 250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe 1536 250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe 1536 250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe 1536 250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe 1708 server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 568 server.exe 568 server.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: 33 1708 server.exe Token: SeIncBasePriorityPrivilege 1708 server.exe Token: 33 1708 server.exe Token: SeIncBasePriorityPrivilege 1708 server.exe Token: 33 568 server.exe Token: SeIncBasePriorityPrivilege 568 server.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1516 Hackweball.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1536 wrote to memory of 1516 1536 250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe 27 PID 1536 wrote to memory of 1516 1536 250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe 27 PID 1536 wrote to memory of 1516 1536 250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe 27 PID 1536 wrote to memory of 1516 1536 250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe 27 PID 1536 wrote to memory of 1708 1536 250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe 28 PID 1536 wrote to memory of 1708 1536 250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe 28 PID 1536 wrote to memory of 1708 1536 250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe 28 PID 1536 wrote to memory of 1708 1536 250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe 28 PID 1708 wrote to memory of 568 1708 server.exe 29 PID 1708 wrote to memory of 568 1708 server.exe 29 PID 1708 wrote to memory of 568 1708 server.exe 29 PID 1708 wrote to memory of 568 1708 server.exe 29 PID 568 wrote to memory of 1288 568 server.exe 20 PID 568 wrote to memory of 1288 568 server.exe 20 PID 568 wrote to memory of 1288 568 server.exe 20 PID 568 wrote to memory of 1288 568 server.exe 20 PID 568 wrote to memory of 1288 568 server.exe 20 PID 568 wrote to memory of 1288 568 server.exe 20
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1288
-
C:\Users\Admin\AppData\Local\Temp\250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe"C:\Users\Admin\AppData\Local\Temp\250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Extracted\Hackweball.exe"C:\Extracted\Hackweball.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1516
-
-
C:\Extracted\server.exe"C:\Extracted\server.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708 -
\DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2010.08.28T11.10\Virtual\STUBEXE\8.0.1112\@APPDIR@\server.exe"C:\Extracted\server.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:568
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD5c9741e5cf9c1e529f9777de1701f8375
SHA1cd0e97823bb155f1724b134a929306be4ec536bf
SHA256f72c799c6f71e09fb23a5a8d208537f03e86aca525a7455b6a508c65ac5004ae
SHA512b5437fe7326f487c4a4f48f55a64b4758bc0a0fdc62bbc7336976ff328ad9222e2b32699f4f6121f4e87ed4afc2a26c86fe5b989f4791c7408ebc6b7d2b06f40
-
Filesize
394KB
MD54564a9fcbd275eebde0ec8bcddf39561
SHA1e61782d6214dfc59717db6229cdbc2f6b7a5c67b
SHA2565a1d3b16641fbd535645e3e9713e125844d030d47ce621b87b4dcfe9329b123f
SHA512d96e074444bc9ca412c30d2c33842540b24f1cdaa257c6fc057e4e464233d5dd7fc541c4feb4a8a8dc3b3ad0aded25f5ebf091738e2ff02ab04026cc3687899c
-
Filesize
394KB
MD54564a9fcbd275eebde0ec8bcddf39561
SHA1e61782d6214dfc59717db6229cdbc2f6b7a5c67b
SHA2565a1d3b16641fbd535645e3e9713e125844d030d47ce621b87b4dcfe9329b123f
SHA512d96e074444bc9ca412c30d2c33842540b24f1cdaa257c6fc057e4e464233d5dd7fc541c4feb4a8a8dc3b3ad0aded25f5ebf091738e2ff02ab04026cc3687899c
-
C:\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2010.08.28T11.10\Virtual\STUBEXE\8.0.1112\@APPDIR@\server.exe
Filesize17KB
MD5e6361c7005b104dfa196e7bba3026a61
SHA1645820b4f900b28b488e0de12df4e3e45aae55bc
SHA2565015077f26651c8186111e79eac3abe04de303aa83e6b6c03526ec0e62c46a8d
SHA512193a4410b729a1d0ac73cdcd5f20f68c6b86be079e3764d4671907f42870dbf0dae6707c0798324302cec972cb22f5f7c7692e57ac623141387839a6a2f82c8c
-
Filesize
224KB
MD5c9741e5cf9c1e529f9777de1701f8375
SHA1cd0e97823bb155f1724b134a929306be4ec536bf
SHA256f72c799c6f71e09fb23a5a8d208537f03e86aca525a7455b6a508c65ac5004ae
SHA512b5437fe7326f487c4a4f48f55a64b4758bc0a0fdc62bbc7336976ff328ad9222e2b32699f4f6121f4e87ed4afc2a26c86fe5b989f4791c7408ebc6b7d2b06f40
-
Filesize
224KB
MD5c9741e5cf9c1e529f9777de1701f8375
SHA1cd0e97823bb155f1724b134a929306be4ec536bf
SHA256f72c799c6f71e09fb23a5a8d208537f03e86aca525a7455b6a508c65ac5004ae
SHA512b5437fe7326f487c4a4f48f55a64b4758bc0a0fdc62bbc7336976ff328ad9222e2b32699f4f6121f4e87ed4afc2a26c86fe5b989f4791c7408ebc6b7d2b06f40
-
Filesize
394KB
MD54564a9fcbd275eebde0ec8bcddf39561
SHA1e61782d6214dfc59717db6229cdbc2f6b7a5c67b
SHA2565a1d3b16641fbd535645e3e9713e125844d030d47ce621b87b4dcfe9329b123f
SHA512d96e074444bc9ca412c30d2c33842540b24f1cdaa257c6fc057e4e464233d5dd7fc541c4feb4a8a8dc3b3ad0aded25f5ebf091738e2ff02ab04026cc3687899c
-
Filesize
394KB
MD54564a9fcbd275eebde0ec8bcddf39561
SHA1e61782d6214dfc59717db6229cdbc2f6b7a5c67b
SHA2565a1d3b16641fbd535645e3e9713e125844d030d47ce621b87b4dcfe9329b123f
SHA512d96e074444bc9ca412c30d2c33842540b24f1cdaa257c6fc057e4e464233d5dd7fc541c4feb4a8a8dc3b3ad0aded25f5ebf091738e2ff02ab04026cc3687899c
-
\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2010.08.28T11.10\Virtual\STUBEXE\8.0.1112\@APPDIR@\server.exe
Filesize17KB
MD5e6361c7005b104dfa196e7bba3026a61
SHA1645820b4f900b28b488e0de12df4e3e45aae55bc
SHA2565015077f26651c8186111e79eac3abe04de303aa83e6b6c03526ec0e62c46a8d
SHA512193a4410b729a1d0ac73cdcd5f20f68c6b86be079e3764d4671907f42870dbf0dae6707c0798324302cec972cb22f5f7c7692e57ac623141387839a6a2f82c8c