Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
190s -
max time network
198s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
01/12/2022, 14:22
Static task
static1
Behavioral task
behavioral1
Sample
af73ef4dae4990e1f509a1b394a6f0cd0250ef1a30071e263e746f6d255046ac.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
af73ef4dae4990e1f509a1b394a6f0cd0250ef1a30071e263e746f6d255046ac.exe
Resource
win10v2004-20220901-en
General
-
Target
af73ef4dae4990e1f509a1b394a6f0cd0250ef1a30071e263e746f6d255046ac.exe
-
Size
1.2MB
-
MD5
451644aa5b271c3ddab56547d83b5144
-
SHA1
ce65d3d09e32ce7928c117fa9f652708de2cb5c0
-
SHA256
af73ef4dae4990e1f509a1b394a6f0cd0250ef1a30071e263e746f6d255046ac
-
SHA512
c01e0d3e00e67c786dbd56dbf6d2e3070a4f29e49d6fb7194961f50fae064a1a416e291a28a496ba9d4cd78521d36f66c319979b04907a1b49a02e2afa7b8229
-
SSDEEP
24576:pbeXU9l7Sz/Q9Th2G2ojLgFfPvV8jU/x:R34z6ThhbU/x
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 784 82656128.exe -
Deletes itself 1 IoCs
pid Process 340 cmd.exe -
Loads dropped DLL 4 IoCs
pid Process 692 cmd.exe 692 cmd.exe 784 82656128.exe 784 82656128.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\82656128 = "C:\\ProgramData\\82656128\\82656128.exe" af73ef4dae4990e1f509a1b394a6f0cd0250ef1a30071e263e746f6d255046ac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 82656128.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\82656128 = "C:\\PROGRA~3\\82656128\\82656128.exe" 82656128.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run af73ef4dae4990e1f509a1b394a6f0cd0250ef1a30071e263e746f6d255046ac.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 676 taskkill.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 784 82656128.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 676 taskkill.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 784 82656128.exe 784 82656128.exe 784 82656128.exe 784 82656128.exe 784 82656128.exe 784 82656128.exe 784 82656128.exe 784 82656128.exe -
Suspicious use of SendNotifyMessage 8 IoCs
pid Process 784 82656128.exe 784 82656128.exe 784 82656128.exe 784 82656128.exe 784 82656128.exe 784 82656128.exe 784 82656128.exe 784 82656128.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1664 wrote to memory of 340 1664 af73ef4dae4990e1f509a1b394a6f0cd0250ef1a30071e263e746f6d255046ac.exe 28 PID 1664 wrote to memory of 340 1664 af73ef4dae4990e1f509a1b394a6f0cd0250ef1a30071e263e746f6d255046ac.exe 28 PID 1664 wrote to memory of 340 1664 af73ef4dae4990e1f509a1b394a6f0cd0250ef1a30071e263e746f6d255046ac.exe 28 PID 1664 wrote to memory of 340 1664 af73ef4dae4990e1f509a1b394a6f0cd0250ef1a30071e263e746f6d255046ac.exe 28 PID 340 wrote to memory of 676 340 cmd.exe 30 PID 340 wrote to memory of 676 340 cmd.exe 30 PID 340 wrote to memory of 676 340 cmd.exe 30 PID 340 wrote to memory of 676 340 cmd.exe 30 PID 340 wrote to memory of 692 340 cmd.exe 32 PID 340 wrote to memory of 692 340 cmd.exe 32 PID 340 wrote to memory of 692 340 cmd.exe 32 PID 340 wrote to memory of 692 340 cmd.exe 32 PID 692 wrote to memory of 784 692 cmd.exe 33 PID 692 wrote to memory of 784 692 cmd.exe 33 PID 692 wrote to memory of 784 692 cmd.exe 33 PID 692 wrote to memory of 784 692 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\af73ef4dae4990e1f509a1b394a6f0cd0250ef1a30071e263e746f6d255046ac.exe"C:\Users\Admin\AppData\Local\Temp\af73ef4dae4990e1f509a1b394a6f0cd0250ef1a30071e263e746f6d255046ac.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ProgramData\82656128\82656128.bat" "2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:340 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im af73ef4dae4990e1f509a1b394a6f0cd0250ef1a30071e263e746f6d255046ac.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:676
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start C:\PROGRA~3\82656128\82656128.exe /install3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:692 -
C:\PROGRA~3\82656128\82656128.exeC:\PROGRA~3\82656128\82656128.exe /install4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:784
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5451644aa5b271c3ddab56547d83b5144
SHA1ce65d3d09e32ce7928c117fa9f652708de2cb5c0
SHA256af73ef4dae4990e1f509a1b394a6f0cd0250ef1a30071e263e746f6d255046ac
SHA512c01e0d3e00e67c786dbd56dbf6d2e3070a4f29e49d6fb7194961f50fae064a1a416e291a28a496ba9d4cd78521d36f66c319979b04907a1b49a02e2afa7b8229
-
Filesize
1.2MB
MD5451644aa5b271c3ddab56547d83b5144
SHA1ce65d3d09e32ce7928c117fa9f652708de2cb5c0
SHA256af73ef4dae4990e1f509a1b394a6f0cd0250ef1a30071e263e746f6d255046ac
SHA512c01e0d3e00e67c786dbd56dbf6d2e3070a4f29e49d6fb7194961f50fae064a1a416e291a28a496ba9d4cd78521d36f66c319979b04907a1b49a02e2afa7b8229
-
Filesize
322B
MD5ea5759148f64c4ea382c61a2e591911d
SHA13b076384d5746462c03a21b998335c1d82e12243
SHA2566f512030c2d0b57d0c44ff6c487f6bb6d3c3a918f1097ad4ec5a353188ccc0ab
SHA51212513df52c9eb2970de1c7b82092758f6d425de2a432d29b245ee3f78eaeaf5a81915b7928038083aacf8ddfe2a20f0e7c9893861e43c7dd09f3008f146cef13
-
Filesize
1.2MB
MD5451644aa5b271c3ddab56547d83b5144
SHA1ce65d3d09e32ce7928c117fa9f652708de2cb5c0
SHA256af73ef4dae4990e1f509a1b394a6f0cd0250ef1a30071e263e746f6d255046ac
SHA512c01e0d3e00e67c786dbd56dbf6d2e3070a4f29e49d6fb7194961f50fae064a1a416e291a28a496ba9d4cd78521d36f66c319979b04907a1b49a02e2afa7b8229
-
Filesize
1.2MB
MD5451644aa5b271c3ddab56547d83b5144
SHA1ce65d3d09e32ce7928c117fa9f652708de2cb5c0
SHA256af73ef4dae4990e1f509a1b394a6f0cd0250ef1a30071e263e746f6d255046ac
SHA512c01e0d3e00e67c786dbd56dbf6d2e3070a4f29e49d6fb7194961f50fae064a1a416e291a28a496ba9d4cd78521d36f66c319979b04907a1b49a02e2afa7b8229
-
Filesize
1.2MB
MD5451644aa5b271c3ddab56547d83b5144
SHA1ce65d3d09e32ce7928c117fa9f652708de2cb5c0
SHA256af73ef4dae4990e1f509a1b394a6f0cd0250ef1a30071e263e746f6d255046ac
SHA512c01e0d3e00e67c786dbd56dbf6d2e3070a4f29e49d6fb7194961f50fae064a1a416e291a28a496ba9d4cd78521d36f66c319979b04907a1b49a02e2afa7b8229
-
Filesize
1.2MB
MD5451644aa5b271c3ddab56547d83b5144
SHA1ce65d3d09e32ce7928c117fa9f652708de2cb5c0
SHA256af73ef4dae4990e1f509a1b394a6f0cd0250ef1a30071e263e746f6d255046ac
SHA512c01e0d3e00e67c786dbd56dbf6d2e3070a4f29e49d6fb7194961f50fae064a1a416e291a28a496ba9d4cd78521d36f66c319979b04907a1b49a02e2afa7b8229