Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    35s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03/12/2022, 08:45

General

  • Target

    c89efb1d58ba125d6afff7891d6da684fea7c95cc697708b6958c407d758681f.exe

  • Size

    7.0MB

  • MD5

    96a1999f5291d76281f02411a71c432a

  • SHA1

    06e0ef4ef8b7af1201cbf5aae981639363b71590

  • SHA256

    c89efb1d58ba125d6afff7891d6da684fea7c95cc697708b6958c407d758681f

  • SHA512

    e25e0c3f9080e7b9d9f0ba7480e736bc57256645a318b089778c1950fea67dbeac59650e723bfa23a7539a3b71fa3d2e2b00dc9e7b5c342a8c9e138ee8846ebb

  • SSDEEP

    196608:ba987PJHArOqVD+vTpwCaq7zspvTXgMy5cw8:zPWrfVD+bpwCDvs9XgMY8

Score
8/10
upx

Malware Config

Signatures

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c89efb1d58ba125d6afff7891d6da684fea7c95cc697708b6958c407d758681f.exe
    "C:\Users\Admin\AppData\Local\Temp\c89efb1d58ba125d6afff7891d6da684fea7c95cc697708b6958c407d758681f.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1344
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c start C:\Windows\System32\008.JPG
      2⤵
        PID:1740
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c start C:\Windows\System32\El mejorrr!.exe
        2⤵
          PID:1308
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
        1⤵
        • Drops file in System32 directory
        • Suspicious use of FindShellTrayWindow
        PID:1936

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\008.JPG

        Filesize

        3.8MB

        MD5

        319b609fbd37b55be312169820459d04

        SHA1

        ed3dc63b1c619e7795965eed1e14f6de1da73659

        SHA256

        a195554e82e5f5c486eea5d026b98229e7556579c43acbb8c747e232e952b9db

        SHA512

        d0276a5bcb342aa719f21c5c84cbb1fc5dcec50ac8e2da1c7cdea096e84628de8cacf79c7af01d838df567e0c2f06ea2c40ce9d884d5a7c3e5cbe42ac9695865

      • memory/1344-56-0x0000000000400000-0x000000000040D000-memory.dmp

        Filesize

        52KB

      • memory/1344-60-0x0000000000400000-0x000000000040D000-memory.dmp

        Filesize

        52KB

      • memory/1740-58-0x0000000074F41000-0x0000000074F43000-memory.dmp

        Filesize

        8KB