Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
48s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
01/12/2022, 18:08
Static task
static1
Behavioral task
behavioral1
Sample
bfd66b8c04842a8117a081ac7e9ac1cd83480996428e137534df86939e712e76.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
bfd66b8c04842a8117a081ac7e9ac1cd83480996428e137534df86939e712e76.exe
Resource
win10v2004-20220812-en
General
-
Target
bfd66b8c04842a8117a081ac7e9ac1cd83480996428e137534df86939e712e76.exe
-
Size
40KB
-
MD5
7bed7c82efafe6fbbe811b9cdb7ef374
-
SHA1
253e75dd646496c947aea0270ab74110c5445419
-
SHA256
bfd66b8c04842a8117a081ac7e9ac1cd83480996428e137534df86939e712e76
-
SHA512
669c8c51c76907b2885ddcaa0d1bcb66c8aee493fec7217aa379f2f691b7a58bb745985f9b5debb87ccb15d8d4fd24b8490eebb9cf77f41fbbcaceb58145b1cd
-
SSDEEP
768:SI8KnBLmtqeOQhbq+WVGvbsLHCAQpBryb0A4T+Ko+OA5FRe:2KnheOoa0fryAT
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 840 Trojan.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 1076 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8515eb34d8f9de5af815466e9715b3e5.exe Trojan.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8515eb34d8f9de5af815466e9715b3e5.exe Trojan.exe -
Loads dropped DLL 1 IoCs
pid Process 1552 bfd66b8c04842a8117a081ac7e9ac1cd83480996428e137534df86939e712e76.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\8515eb34d8f9de5af815466e9715b3e5 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Trojan.exe\" .." Trojan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\8515eb34d8f9de5af815466e9715b3e5 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Trojan.exe\" .." Trojan.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 840 Trojan.exe 840 Trojan.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 840 Trojan.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1552 wrote to memory of 840 1552 bfd66b8c04842a8117a081ac7e9ac1cd83480996428e137534df86939e712e76.exe 26 PID 1552 wrote to memory of 840 1552 bfd66b8c04842a8117a081ac7e9ac1cd83480996428e137534df86939e712e76.exe 26 PID 1552 wrote to memory of 840 1552 bfd66b8c04842a8117a081ac7e9ac1cd83480996428e137534df86939e712e76.exe 26 PID 1552 wrote to memory of 840 1552 bfd66b8c04842a8117a081ac7e9ac1cd83480996428e137534df86939e712e76.exe 26 PID 840 wrote to memory of 1076 840 Trojan.exe 27 PID 840 wrote to memory of 1076 840 Trojan.exe 27 PID 840 wrote to memory of 1076 840 Trojan.exe 27 PID 840 wrote to memory of 1076 840 Trojan.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfd66b8c04842a8117a081ac7e9ac1cd83480996428e137534df86939e712e76.exe"C:\Users\Admin\AppData\Local\Temp\bfd66b8c04842a8117a081ac7e9ac1cd83480996428e137534df86939e712e76.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Users\Admin\AppData\Roaming\Trojan.exe"C:\Users\Admin\AppData\Roaming\Trojan.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Trojan.exe" "Trojan.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1076
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD57bed7c82efafe6fbbe811b9cdb7ef374
SHA1253e75dd646496c947aea0270ab74110c5445419
SHA256bfd66b8c04842a8117a081ac7e9ac1cd83480996428e137534df86939e712e76
SHA512669c8c51c76907b2885ddcaa0d1bcb66c8aee493fec7217aa379f2f691b7a58bb745985f9b5debb87ccb15d8d4fd24b8490eebb9cf77f41fbbcaceb58145b1cd
-
Filesize
40KB
MD57bed7c82efafe6fbbe811b9cdb7ef374
SHA1253e75dd646496c947aea0270ab74110c5445419
SHA256bfd66b8c04842a8117a081ac7e9ac1cd83480996428e137534df86939e712e76
SHA512669c8c51c76907b2885ddcaa0d1bcb66c8aee493fec7217aa379f2f691b7a58bb745985f9b5debb87ccb15d8d4fd24b8490eebb9cf77f41fbbcaceb58145b1cd
-
Filesize
40KB
MD57bed7c82efafe6fbbe811b9cdb7ef374
SHA1253e75dd646496c947aea0270ab74110c5445419
SHA256bfd66b8c04842a8117a081ac7e9ac1cd83480996428e137534df86939e712e76
SHA512669c8c51c76907b2885ddcaa0d1bcb66c8aee493fec7217aa379f2f691b7a58bb745985f9b5debb87ccb15d8d4fd24b8490eebb9cf77f41fbbcaceb58145b1cd