Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
03/12/2022, 10:50
Behavioral task
behavioral1
Sample
fb6106e6e5d1048dc13cf1ca7530b62313cf7f23560a3c6c9e2b8e3e31e21de7.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
fb6106e6e5d1048dc13cf1ca7530b62313cf7f23560a3c6c9e2b8e3e31e21de7.exe
Resource
win10v2004-20220901-en
General
-
Target
fb6106e6e5d1048dc13cf1ca7530b62313cf7f23560a3c6c9e2b8e3e31e21de7.exe
-
Size
51KB
-
MD5
888cc693dd7c3f97b57282a54a55a520
-
SHA1
ad4e0aacc9c752cd3842c921057e90f9e5aaba7e
-
SHA256
fb6106e6e5d1048dc13cf1ca7530b62313cf7f23560a3c6c9e2b8e3e31e21de7
-
SHA512
e78c4b5c21385bbc15049c434fbb3bd673a5c88ab9f85fa78220f0bb1ab71f4ffa940f373eb833e05eabe3c9163a4d66005ede0f370d84fbf7ee800947ca34f7
-
SSDEEP
768:WoH24OpQ9BopxbEOC2IdM1+R5GAaYEgO+ihaOe/dV4L06UXCgHN6n+/vwhrvTCI:WJ4ZE5Idu+jMRghbOGWL0jXBN6nnvWI
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 584 svchost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 668 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 584 svchost.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1596 fb6106e6e5d1048dc13cf1ca7530b62313cf7f23560a3c6c9e2b8e3e31e21de7.exe 1596 fb6106e6e5d1048dc13cf1ca7530b62313cf7f23560a3c6c9e2b8e3e31e21de7.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1596 wrote to memory of 584 1596 fb6106e6e5d1048dc13cf1ca7530b62313cf7f23560a3c6c9e2b8e3e31e21de7.exe 28 PID 1596 wrote to memory of 584 1596 fb6106e6e5d1048dc13cf1ca7530b62313cf7f23560a3c6c9e2b8e3e31e21de7.exe 28 PID 1596 wrote to memory of 584 1596 fb6106e6e5d1048dc13cf1ca7530b62313cf7f23560a3c6c9e2b8e3e31e21de7.exe 28 PID 1596 wrote to memory of 584 1596 fb6106e6e5d1048dc13cf1ca7530b62313cf7f23560a3c6c9e2b8e3e31e21de7.exe 28 PID 584 wrote to memory of 668 584 svchost.exe 29 PID 584 wrote to memory of 668 584 svchost.exe 29 PID 584 wrote to memory of 668 584 svchost.exe 29 PID 584 wrote to memory of 668 584 svchost.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb6106e6e5d1048dc13cf1ca7530b62313cf7f23560a3c6c9e2b8e3e31e21de7.exe"C:\Users\Admin\AppData\Local\Temp\fb6106e6e5d1048dc13cf1ca7530b62313cf7f23560a3c6c9e2b8e3e31e21de7.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\fb6106e6e5d1048dc13cf1ca7530b62313cf7f23560a3c6c9e2b8e3e31e21de7.txt3⤵
- Opens file in notepad (likely ransom note)
PID:668
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fb6106e6e5d1048dc13cf1ca7530b62313cf7f23560a3c6c9e2b8e3e31e21de7.txt
Filesize36B
MD51123526e0d34644d9ff8b94378b07ba1
SHA12997bdce99c9d7eeeb6ab2f55a6b246748ba9ae3
SHA25601166f19ae656c254351e749ecab3b3956c3242c5653e299aaa4f3830cce505e
SHA5122defbc915b4e0ab4320bbe23ab71c5a911fa538031c415de47f2d58190267a91215ac4469c8f115c7d6f21bb775e2232ddc3ae898a8d75ec2dae9a52e884b8e6