Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
44s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
03/12/2022, 00:43
Static task
static1
Behavioral task
behavioral1
Sample
42d40d097e2a19314380ee3754aa046722d23e9ced73ab8025048446830f6bb7.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
42d40d097e2a19314380ee3754aa046722d23e9ced73ab8025048446830f6bb7.exe
Resource
win10v2004-20220812-en
General
-
Target
42d40d097e2a19314380ee3754aa046722d23e9ced73ab8025048446830f6bb7.exe
-
Size
101KB
-
MD5
1323913bf50b6bce2f72cbe3609e2ce0
-
SHA1
03414e1160942e152482e10b69fe37574325a4db
-
SHA256
42d40d097e2a19314380ee3754aa046722d23e9ced73ab8025048446830f6bb7
-
SHA512
cfacf38ce79628258ece3d322b952f4072661e7c0f210f04e912a6fd6b4b53b39e465c3d1d6c016f000e0478c7f8f617d620667f9d3c3fa67d260cba32fe7ab2
-
SSDEEP
1536:7P4mQ+W4hKwHCtjeWQuhrzb8yUNKAbbzCwHzx5e6ywv77St+iyYzrzRvD3:7Pil4YXBFmxN/fXx5ehwSt+iyYrztD
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 900 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1816 wrote to memory of 900 1816 42d40d097e2a19314380ee3754aa046722d23e9ced73ab8025048446830f6bb7.exe 27 PID 1816 wrote to memory of 900 1816 42d40d097e2a19314380ee3754aa046722d23e9ced73ab8025048446830f6bb7.exe 27 PID 1816 wrote to memory of 900 1816 42d40d097e2a19314380ee3754aa046722d23e9ced73ab8025048446830f6bb7.exe 27 PID 1816 wrote to memory of 900 1816 42d40d097e2a19314380ee3754aa046722d23e9ced73ab8025048446830f6bb7.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\42d40d097e2a19314380ee3754aa046722d23e9ced73ab8025048446830f6bb7.exe"C:\Users\Admin\AppData\Local\Temp\42d40d097e2a19314380ee3754aa046722d23e9ced73ab8025048446830f6bb7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Ggz..bat" > nul 2> nul2⤵
- Deletes itself
PID:900
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
274B
MD552931fe7abda089cd5919947ac6fc973
SHA11b483b64b3e6bcced9eea21eb0120af02e6d45db
SHA256c6711f540922612a3ca69b048a9abcbf21683a2aced24cb7da5d76bc404369c3
SHA512f4fb0706627ef9f6cb2dcb169d9b4beeda244d1b97a6642fdf6bb5b63fe5a1baec6bf73577f14f6e3d8ae904c4390b03d77796ee5f31a748da4609dfff29d1dd