Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
236s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01/12/2022, 03:18
Static task
static1
Behavioral task
behavioral1
Sample
738e04fee141ca9a2103a345e267cccb84b10a038e344d0f5b13ebdc9a346080.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
738e04fee141ca9a2103a345e267cccb84b10a038e344d0f5b13ebdc9a346080.exe
Resource
win10v2004-20220812-en
General
-
Target
738e04fee141ca9a2103a345e267cccb84b10a038e344d0f5b13ebdc9a346080.exe
-
Size
420KB
-
MD5
7dda3df33113e1c532e2c4cdbe0af31b
-
SHA1
9085cf53ff1620974289b6401791cb793c25582b
-
SHA256
738e04fee141ca9a2103a345e267cccb84b10a038e344d0f5b13ebdc9a346080
-
SHA512
cda5fc94fc93353bb83c8f2b94fe8ccdbdb7d7d5c87ce719dd94b7b957d7ecddac1259f88f656488f7d0842c9960d03f59914b78efcb8167704ea1b09e5ed974
-
SSDEEP
6144:a8hbeHNyI7qy0LgPOcVHDnnY8bRZ+eHm+yn8vQ8w9ths+YMNoK2aZ3azO:Zh67q0jnnYUmqvEs+YMZ9Z3uO
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1120 atvhuw.exe -
Deletes itself 1 IoCs
pid Process 1544 cmd.exe -
Loads dropped DLL 3 IoCs
pid Process 1544 cmd.exe 1544 cmd.exe 1120 atvhuw.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce 738e04fee141ca9a2103a345e267cccb84b10a038e344d0f5b13ebdc9a346080.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 1712 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1164 PING.EXE -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 1120 atvhuw.exe 1120 atvhuw.exe 1120 atvhuw.exe 1120 atvhuw.exe 1120 atvhuw.exe 1120 atvhuw.exe 1120 atvhuw.exe 1120 atvhuw.exe 1120 atvhuw.exe 1120 atvhuw.exe 1120 atvhuw.exe 1120 atvhuw.exe 1120 atvhuw.exe 1120 atvhuw.exe 1120 atvhuw.exe 1120 atvhuw.exe 1120 atvhuw.exe 1120 atvhuw.exe 1120 atvhuw.exe 1120 atvhuw.exe 1120 atvhuw.exe 1120 atvhuw.exe 1120 atvhuw.exe 1120 atvhuw.exe 1120 atvhuw.exe 1120 atvhuw.exe 1120 atvhuw.exe 1120 atvhuw.exe 1120 atvhuw.exe 1120 atvhuw.exe 1120 atvhuw.exe 1120 atvhuw.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1712 taskkill.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1120 atvhuw.exe 1120 atvhuw.exe 1120 atvhuw.exe 1120 atvhuw.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1120 atvhuw.exe 1120 atvhuw.exe 1120 atvhuw.exe 1120 atvhuw.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 916 wrote to memory of 1544 916 738e04fee141ca9a2103a345e267cccb84b10a038e344d0f5b13ebdc9a346080.exe 28 PID 916 wrote to memory of 1544 916 738e04fee141ca9a2103a345e267cccb84b10a038e344d0f5b13ebdc9a346080.exe 28 PID 916 wrote to memory of 1544 916 738e04fee141ca9a2103a345e267cccb84b10a038e344d0f5b13ebdc9a346080.exe 28 PID 916 wrote to memory of 1544 916 738e04fee141ca9a2103a345e267cccb84b10a038e344d0f5b13ebdc9a346080.exe 28 PID 1544 wrote to memory of 1712 1544 cmd.exe 30 PID 1544 wrote to memory of 1712 1544 cmd.exe 30 PID 1544 wrote to memory of 1712 1544 cmd.exe 30 PID 1544 wrote to memory of 1712 1544 cmd.exe 30 PID 1544 wrote to memory of 1164 1544 cmd.exe 32 PID 1544 wrote to memory of 1164 1544 cmd.exe 32 PID 1544 wrote to memory of 1164 1544 cmd.exe 32 PID 1544 wrote to memory of 1164 1544 cmd.exe 32 PID 1544 wrote to memory of 1120 1544 cmd.exe 33 PID 1544 wrote to memory of 1120 1544 cmd.exe 33 PID 1544 wrote to memory of 1120 1544 cmd.exe 33 PID 1544 wrote to memory of 1120 1544 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\738e04fee141ca9a2103a345e267cccb84b10a038e344d0f5b13ebdc9a346080.exe"C:\Users\Admin\AppData\Local\Temp\738e04fee141ca9a2103a345e267cccb84b10a038e344d0f5b13ebdc9a346080.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 916 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\738e04fee141ca9a2103a345e267cccb84b10a038e344d0f5b13ebdc9a346080.exe" & start C:\Users\Admin\AppData\Local\atvhuw.exe -f2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /pid 9163⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.13⤵
- Runs ping.exe
PID:1164
-
-
C:\Users\Admin\AppData\Local\atvhuw.exeC:\Users\Admin\AppData\Local\atvhuw.exe -f3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1120
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
420KB
MD57dda3df33113e1c532e2c4cdbe0af31b
SHA19085cf53ff1620974289b6401791cb793c25582b
SHA256738e04fee141ca9a2103a345e267cccb84b10a038e344d0f5b13ebdc9a346080
SHA512cda5fc94fc93353bb83c8f2b94fe8ccdbdb7d7d5c87ce719dd94b7b957d7ecddac1259f88f656488f7d0842c9960d03f59914b78efcb8167704ea1b09e5ed974
-
Filesize
420KB
MD57dda3df33113e1c532e2c4cdbe0af31b
SHA19085cf53ff1620974289b6401791cb793c25582b
SHA256738e04fee141ca9a2103a345e267cccb84b10a038e344d0f5b13ebdc9a346080
SHA512cda5fc94fc93353bb83c8f2b94fe8ccdbdb7d7d5c87ce719dd94b7b957d7ecddac1259f88f656488f7d0842c9960d03f59914b78efcb8167704ea1b09e5ed974
-
Filesize
420KB
MD57dda3df33113e1c532e2c4cdbe0af31b
SHA19085cf53ff1620974289b6401791cb793c25582b
SHA256738e04fee141ca9a2103a345e267cccb84b10a038e344d0f5b13ebdc9a346080
SHA512cda5fc94fc93353bb83c8f2b94fe8ccdbdb7d7d5c87ce719dd94b7b957d7ecddac1259f88f656488f7d0842c9960d03f59914b78efcb8167704ea1b09e5ed974
-
Filesize
420KB
MD57dda3df33113e1c532e2c4cdbe0af31b
SHA19085cf53ff1620974289b6401791cb793c25582b
SHA256738e04fee141ca9a2103a345e267cccb84b10a038e344d0f5b13ebdc9a346080
SHA512cda5fc94fc93353bb83c8f2b94fe8ccdbdb7d7d5c87ce719dd94b7b957d7ecddac1259f88f656488f7d0842c9960d03f59914b78efcb8167704ea1b09e5ed974
-
Filesize
420KB
MD57dda3df33113e1c532e2c4cdbe0af31b
SHA19085cf53ff1620974289b6401791cb793c25582b
SHA256738e04fee141ca9a2103a345e267cccb84b10a038e344d0f5b13ebdc9a346080
SHA512cda5fc94fc93353bb83c8f2b94fe8ccdbdb7d7d5c87ce719dd94b7b957d7ecddac1259f88f656488f7d0842c9960d03f59914b78efcb8167704ea1b09e5ed974