Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
79s -
max time network
55s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01/12/2022, 05:49
Static task
static1
Behavioral task
behavioral1
Sample
1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe
Resource
win10v2004-20221111-en
General
-
Target
1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe
-
Size
3.1MB
-
MD5
6460c9956bd90b9fc83d318aac0c72f7
-
SHA1
130d7cd6d44234a2c8b78bb10a592539ecae0703
-
SHA256
1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e
-
SHA512
d33c712830bd31d16eb7aba30eaf331cef6ac6a5b06c5be0180411caa5828e147db8379991431cb2098ee5ff00437cc2c7e333930df215b2856d5b30da768603
-
SSDEEP
49152:T0T9a9PH8kmpnUYBTGpax+5jrdewURNGzGo5KG+jLcasY6DwOBfrnvV7UeWtPNZ:TQofrJuTGKnwURNGUnjQYiwOBpIeWHZ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1320 1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe -
Loads dropped DLL 2 IoCs
pid Process 684 1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe 1320 1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1320 1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" 1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main 1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch 1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1320 1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1320 1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1320 1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe 1320 1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 684 wrote to memory of 1320 684 1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe 27 PID 684 wrote to memory of 1320 684 1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe 27 PID 684 wrote to memory of 1320 684 1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe 27 PID 684 wrote to memory of 1320 684 1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe"C:\Users\Admin\AppData\Local\Temp\1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Users\Admin\AppData\Local\Temp\4wz3ezdd.kn0\1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe"C:\Users\Admin\AppData\Local\Temp\4wz3ezdd.kn0\1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1320
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4wz3ezdd.kn0\1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe
Filesize3.0MB
MD57d590bccd10a91278a1d0c1db1e6886f
SHA1b95b286fa7ba1457bb7a93b06761177e84b0c8e2
SHA256cb17a248e6356ce4b8ee44f6eb567d7a16f093dbe2706928861d0920825d4155
SHA51200a9acda8e00c00c3e89bf5aa7de555dfd37c41c93f260114f07376dc586b5dc8feaa4712a0b15e335ebb31d550856c812f00683cbc9a6b94b8dbab0c89f88d9
-
C:\Users\Admin\AppData\Local\Temp\4wz3ezdd.kn0\1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe
Filesize3.0MB
MD57d590bccd10a91278a1d0c1db1e6886f
SHA1b95b286fa7ba1457bb7a93b06761177e84b0c8e2
SHA256cb17a248e6356ce4b8ee44f6eb567d7a16f093dbe2706928861d0920825d4155
SHA51200a9acda8e00c00c3e89bf5aa7de555dfd37c41c93f260114f07376dc586b5dc8feaa4712a0b15e335ebb31d550856c812f00683cbc9a6b94b8dbab0c89f88d9
-
\Users\Admin\AppData\Local\Temp\4wz3ezdd.kn0\1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe
Filesize3.0MB
MD57d590bccd10a91278a1d0c1db1e6886f
SHA1b95b286fa7ba1457bb7a93b06761177e84b0c8e2
SHA256cb17a248e6356ce4b8ee44f6eb567d7a16f093dbe2706928861d0920825d4155
SHA51200a9acda8e00c00c3e89bf5aa7de555dfd37c41c93f260114f07376dc586b5dc8feaa4712a0b15e335ebb31d550856c812f00683cbc9a6b94b8dbab0c89f88d9
-
Filesize
893KB
MD504ad4b80880b32c94be8d0886482c774
SHA1344faf61c3eb76f4a2fb6452e83ed16c9cce73e0
SHA256a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338
SHA5123e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb