Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
44s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
03/12/2022, 22:19
Static task
static1
Behavioral task
behavioral1
Sample
fbf01e0f94e292758d58d2cbffe81100895b427c616173223053b46cbc97c44d.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
fbf01e0f94e292758d58d2cbffe81100895b427c616173223053b46cbc97c44d.exe
Resource
win10v2004-20220812-en
General
-
Target
fbf01e0f94e292758d58d2cbffe81100895b427c616173223053b46cbc97c44d.exe
-
Size
131KB
-
MD5
2ca13eff9238997803538b3f8c12879d
-
SHA1
a608481b7d245842c6d4547dc99b9c26441d2124
-
SHA256
fbf01e0f94e292758d58d2cbffe81100895b427c616173223053b46cbc97c44d
-
SHA512
add7135beeabde6c93f5e498af15154a3534b91308ddec782318c6bc7a768625743f29f2fe5a960b05b3ec07ff9e877c06d639ea32e1701367ae91c71e1a09c3
-
SSDEEP
3072:efP+g0kmb5YR83nkB43RSG83wH8ON+UgoeQN9WZPeYY7ahh:e+0w5Ln8AcOIyUdeh7az
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 932 123.exe 1008 Server.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe\debugger = "IFEOFILE" 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Tbmon.exe\debugger = "IFEOFILE" 123.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcshield.exe 123.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe 123.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avg.exe 123.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswUpdSv.exe 123.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe 123.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ravmon.exe 123.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe\debugger = "IFEOFILE" 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSTray.exe\debugger = "IFEOFILE" 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\knownsvr.exe\debugger = "IFEOFILE" 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe\debugger = "IFEOFILE" 123.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guard.exe 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe\debugger = "IFEOFILE" 123.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGAS.EXE 123.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashWebSv.exe 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcshield.exe\debugger = "IFEOFILE" 123.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe 123.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.EXE 123.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ras.exe\debugger = "IFEOFILE" 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGAS.EXE\debugger = "IFEOFILE" 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Vstskmgr.exe\debugger = "IFEOFILE" 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVFW.EXE\debugger = "IFEOFILE" 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashServ.exe\debugger = "IFEOFILE" 123.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe 123.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe 123.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavmonD.exe\debugger = "IFEOFILE" 123.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rtvscan.exe 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\debugger = "IFEOFILE" 123.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashDisp.exe 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\debugger = "IFEOFILE" 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe\debugger = "IFEOFILE" 123.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashMaisv.exe 123.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpdaterUI.exe 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shstat.exe\debugger = "IFEOFILE" 123.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscntfy.exe 123.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSTray.exe 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe\debugger = "IFEOFILE" 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SymSPort.exe\debugger = "IFEOFILE" 123.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guaid.exe 123.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe\debugger = "IFEOFILE" 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe\debugger = "IFEOFILE" 123.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ravmon.exe\debugger = "IFEOFILE" 123.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ras.exe 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashWebSv.exe\debugger = "IFEOFILE" 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe\debugger = "IFEOFILE" 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe\debugger = "IFEOFILE" 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\debugger = "IFEOFILE" 123.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe\debugger = "IFEOFILE" 123.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\knownsvr.exe 123.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Vstskmgr.exe 123.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe 123.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe 123.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe\debugger = "IFEOFILE" 123.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.exe 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.exe\debugger = "IFEOFILE" 123.exe -
Loads dropped DLL 3 IoCs
pid Process 1064 fbf01e0f94e292758d58d2cbffe81100895b427c616173223053b46cbc97c44d.exe 1064 fbf01e0f94e292758d58d2cbffe81100895b427c616173223053b46cbc97c44d.exe 932 123.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 676 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe 932 123.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 464 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 932 123.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 932 123.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1064 wrote to memory of 932 1064 fbf01e0f94e292758d58d2cbffe81100895b427c616173223053b46cbc97c44d.exe 27 PID 1064 wrote to memory of 932 1064 fbf01e0f94e292758d58d2cbffe81100895b427c616173223053b46cbc97c44d.exe 27 PID 1064 wrote to memory of 932 1064 fbf01e0f94e292758d58d2cbffe81100895b427c616173223053b46cbc97c44d.exe 27 PID 1064 wrote to memory of 932 1064 fbf01e0f94e292758d58d2cbffe81100895b427c616173223053b46cbc97c44d.exe 27 PID 932 wrote to memory of 1008 932 123.exe 28 PID 932 wrote to memory of 1008 932 123.exe 28 PID 932 wrote to memory of 1008 932 123.exe 28 PID 932 wrote to memory of 1008 932 123.exe 28 PID 932 wrote to memory of 716 932 123.exe 29 PID 932 wrote to memory of 716 932 123.exe 29 PID 932 wrote to memory of 716 932 123.exe 29 PID 932 wrote to memory of 716 932 123.exe 29 PID 716 wrote to memory of 676 716 cmd.exe 31 PID 716 wrote to memory of 676 716 cmd.exe 31 PID 716 wrote to memory of 676 716 cmd.exe 31 PID 716 wrote to memory of 676 716 cmd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\fbf01e0f94e292758d58d2cbffe81100895b427c616173223053b46cbc97c44d.exe"C:\Users\Admin\AppData\Local\Temp\fbf01e0f94e292758d58d2cbffe81100895b427c616173223053b46cbc97c44d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Users\Admin\AppData\Local\Temp\123.exe"C:\Users\Admin\AppData\Local\Temp\123.exe"2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Temp\Server.exe"C:\Temp\Server.exe"3⤵
- Executes dropped EXE
PID:1008
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1&&del /f /q /a:- "C:\Users\Admin\AppData\Local\Temp\123.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
PID:676
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187KB
MD5d84f8cbc42b10bc63f7eb7e5f2b48524
SHA141af7a40e98b6a9939ecf4f2f4073964d3956484
SHA25610c4bc51083520a1f3fd7c3ebd643ceff8f33dcd71e3b080bac12d02b056c7bb
SHA512aee428d13ab0d24a4ad673a1c68cfdb9e3a39fac6800acbd90c3762ca13154f6b30402999c623e11505c89d105fad7be00e1d90d5caff95d07eacc96644c5fcf
-
Filesize
104KB
MD50896cd67f7f4c14ee6c3c78c3f7fad0b
SHA148f220db5ef77dffe2132f842a2aced02b5ac868
SHA2560f5a279b8bed19dd3c15aed90ac1a65a3292177fe45ef5cf08824fb8243e3d23
SHA512a40153a6550184c9426e167a135dce96b5c64e8571b6807b945b7361e5227ea74f173337b107e5f63f61b20eec91d0be8ccb202e1cd29029de02cd18bcb5481b
-
Filesize
104KB
MD50896cd67f7f4c14ee6c3c78c3f7fad0b
SHA148f220db5ef77dffe2132f842a2aced02b5ac868
SHA2560f5a279b8bed19dd3c15aed90ac1a65a3292177fe45ef5cf08824fb8243e3d23
SHA512a40153a6550184c9426e167a135dce96b5c64e8571b6807b945b7361e5227ea74f173337b107e5f63f61b20eec91d0be8ccb202e1cd29029de02cd18bcb5481b
-
Filesize
187KB
MD5d84f8cbc42b10bc63f7eb7e5f2b48524
SHA141af7a40e98b6a9939ecf4f2f4073964d3956484
SHA25610c4bc51083520a1f3fd7c3ebd643ceff8f33dcd71e3b080bac12d02b056c7bb
SHA512aee428d13ab0d24a4ad673a1c68cfdb9e3a39fac6800acbd90c3762ca13154f6b30402999c623e11505c89d105fad7be00e1d90d5caff95d07eacc96644c5fcf
-
Filesize
104KB
MD50896cd67f7f4c14ee6c3c78c3f7fad0b
SHA148f220db5ef77dffe2132f842a2aced02b5ac868
SHA2560f5a279b8bed19dd3c15aed90ac1a65a3292177fe45ef5cf08824fb8243e3d23
SHA512a40153a6550184c9426e167a135dce96b5c64e8571b6807b945b7361e5227ea74f173337b107e5f63f61b20eec91d0be8ccb202e1cd29029de02cd18bcb5481b
-
Filesize
104KB
MD50896cd67f7f4c14ee6c3c78c3f7fad0b
SHA148f220db5ef77dffe2132f842a2aced02b5ac868
SHA2560f5a279b8bed19dd3c15aed90ac1a65a3292177fe45ef5cf08824fb8243e3d23
SHA512a40153a6550184c9426e167a135dce96b5c64e8571b6807b945b7361e5227ea74f173337b107e5f63f61b20eec91d0be8ccb202e1cd29029de02cd18bcb5481b