Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
74s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
02/12/2022, 23:56
Static task
static1
Behavioral task
behavioral1
Sample
58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe
Resource
win10v2004-20220812-en
General
-
Target
58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe
-
Size
685KB
-
MD5
95b51c28ce2f926b597bdf572250cd90
-
SHA1
18bece471bcd283e76c7e28c3c6a5eda59b20d8f
-
SHA256
58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423
-
SHA512
93008f0d344a71e5e9f357e8b90d5a0e7d925c596549f346df9e0b82d96a984e98bde0147bcb4a7b104bab620322336686ab97061c425183d91367c89b7415ec
-
SSDEEP
12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 820 hyymsyv.exe 1624 ~DFA5D.tmp 624 izvycov.exe -
Deletes itself 1 IoCs
pid Process 660 cmd.exe -
Loads dropped DLL 3 IoCs
pid Process 1376 58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe 820 hyymsyv.exe 1624 ~DFA5D.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 624 izvycov.exe 624 izvycov.exe 624 izvycov.exe 624 izvycov.exe 624 izvycov.exe 624 izvycov.exe 624 izvycov.exe 624 izvycov.exe 624 izvycov.exe 624 izvycov.exe 624 izvycov.exe 624 izvycov.exe 624 izvycov.exe 624 izvycov.exe 624 izvycov.exe 624 izvycov.exe 624 izvycov.exe 624 izvycov.exe 624 izvycov.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1624 ~DFA5D.tmp -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1376 wrote to memory of 820 1376 58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe 26 PID 1376 wrote to memory of 820 1376 58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe 26 PID 1376 wrote to memory of 820 1376 58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe 26 PID 1376 wrote to memory of 820 1376 58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe 26 PID 820 wrote to memory of 1624 820 hyymsyv.exe 27 PID 820 wrote to memory of 1624 820 hyymsyv.exe 27 PID 820 wrote to memory of 1624 820 hyymsyv.exe 27 PID 820 wrote to memory of 1624 820 hyymsyv.exe 27 PID 1376 wrote to memory of 660 1376 58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe 28 PID 1376 wrote to memory of 660 1376 58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe 28 PID 1376 wrote to memory of 660 1376 58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe 28 PID 1376 wrote to memory of 660 1376 58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe 28 PID 1624 wrote to memory of 624 1624 ~DFA5D.tmp 30 PID 1624 wrote to memory of 624 1624 ~DFA5D.tmp 30 PID 1624 wrote to memory of 624 1624 ~DFA5D.tmp 30 PID 1624 wrote to memory of 624 1624 ~DFA5D.tmp 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe"C:\Users\Admin\AppData\Local\Temp\58132104efb2638c9f274d19e0ed5f9960632da52f9827c5afdfd90229ff9423.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\hyymsyv.exeC:\Users\Admin\AppData\Local\Temp\hyymsyv.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Users\Admin\AppData\Local\Temp\~DFA5D.tmpC:\Users\Admin\AppData\Local\Temp\~DFA5D.tmp OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\izvycov.exe"C:\Users\Admin\AppData\Local\Temp\izvycov.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:624
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "2⤵
- Deletes itself
PID:660
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
341B
MD512c73c2dd7c93f9ec2cf31e3cf281cad
SHA189d568ae53426e646438e65d7cb143198aaa2177
SHA256b7844fc53a2e3a1b7d556a889350f817735ce24979dcfb3993cfa75f191509a4
SHA512100084c08a23c5c4da2502ba745504747e2d32714c6eb50a90a78e4e6abccac5b97e10bac719784b66406cefd34584ba47b802c28be10f172230ea39d636a90e
-
Filesize
104B
MD586bb2dbeaef655893262f3c041f6afe2
SHA11b26ff1241c1353bd506c18bd0c11878076ba65d
SHA2564a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2
SHA51258294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31
-
Filesize
480B
MD533e5ca8dc9340acb79c2ade8d03b7b6b
SHA1b5f1aeef7001d1f35d91c1851058b9e0dc74d14a
SHA2567bc0ec0b4e364040ceb14b0fda967eafd29bb2ee19ae37191462af30b2b050a6
SHA512475269fb7c1a16045eaff21d265bf88ecf788ef205a31cb1753a3c1bdcaf5ef97cfbd0ec1823e3114d0ecdfaba161f938e5e305bfe41e1d4f071fc966cbaeee6
-
Filesize
688KB
MD5a9e7832317d3e111f4b5878014704621
SHA1545fe50e2ab6395a2f42c15c1be01fb0862a142a
SHA2568feb42d852bca3d400bf117614ee2fa3b2d9c7b3844ad9f624077f147a0b0f17
SHA5128ad8bee9b5ee257a506fed1ac96a3551a151c8d860d10af8ac1d824f20a9b9f43b35eb11875013d2f00b8da156b0320e485e4527abdb76459e108fd13e0e650d
-
Filesize
688KB
MD5a9e7832317d3e111f4b5878014704621
SHA1545fe50e2ab6395a2f42c15c1be01fb0862a142a
SHA2568feb42d852bca3d400bf117614ee2fa3b2d9c7b3844ad9f624077f147a0b0f17
SHA5128ad8bee9b5ee257a506fed1ac96a3551a151c8d860d10af8ac1d824f20a9b9f43b35eb11875013d2f00b8da156b0320e485e4527abdb76459e108fd13e0e650d
-
Filesize
400KB
MD5e1aa040092373cb372c12139e31223ce
SHA106adf65167a4cd0a639399340e0523ec4a86432b
SHA2560040ec4fff2157424e978bce10e2fc72d0affead11ef3a1d748a7ea81de97426
SHA512a4d776c43028ddbcb96b90f28113f6f97ac84d4f5aa3b753c5f2941d6f9cf87237a6d759b5e8a97817774f30f989eab82ac7c7cd154d5e43fc223973802f7e08
-
Filesize
692KB
MD5cb38afb7f146f89bc6b244864a73be39
SHA1e73d1de3d083705206aceebd6ca23dd4ceec36cf
SHA2561e24b0a95f6a473c21eab5504e849e796300c76fcea983a7df2260bc7fb0a30d
SHA51272491e6b8b602aa50b651f433bbeaff512cb0d93424214e5c2b49a2e0453f66ac4f1359504b17ea43477af6f07e170df714438c2b1fbbdd48d53172c29ab2f89
-
Filesize
688KB
MD5a9e7832317d3e111f4b5878014704621
SHA1545fe50e2ab6395a2f42c15c1be01fb0862a142a
SHA2568feb42d852bca3d400bf117614ee2fa3b2d9c7b3844ad9f624077f147a0b0f17
SHA5128ad8bee9b5ee257a506fed1ac96a3551a151c8d860d10af8ac1d824f20a9b9f43b35eb11875013d2f00b8da156b0320e485e4527abdb76459e108fd13e0e650d
-
Filesize
400KB
MD5e1aa040092373cb372c12139e31223ce
SHA106adf65167a4cd0a639399340e0523ec4a86432b
SHA2560040ec4fff2157424e978bce10e2fc72d0affead11ef3a1d748a7ea81de97426
SHA512a4d776c43028ddbcb96b90f28113f6f97ac84d4f5aa3b753c5f2941d6f9cf87237a6d759b5e8a97817774f30f989eab82ac7c7cd154d5e43fc223973802f7e08
-
Filesize
692KB
MD5cb38afb7f146f89bc6b244864a73be39
SHA1e73d1de3d083705206aceebd6ca23dd4ceec36cf
SHA2561e24b0a95f6a473c21eab5504e849e796300c76fcea983a7df2260bc7fb0a30d
SHA51272491e6b8b602aa50b651f433bbeaff512cb0d93424214e5c2b49a2e0453f66ac4f1359504b17ea43477af6f07e170df714438c2b1fbbdd48d53172c29ab2f89