Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
34s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/12/2022, 15:43
Static task
static1
Behavioral task
behavioral1
Sample
aa04e7d4e6e10f7ec618631a812d0f7941cc43f1fcad2992d20c86831bde9161.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
aa04e7d4e6e10f7ec618631a812d0f7941cc43f1fcad2992d20c86831bde9161.exe
Resource
win10v2004-20220812-en
General
-
Target
aa04e7d4e6e10f7ec618631a812d0f7941cc43f1fcad2992d20c86831bde9161.exe
-
Size
37KB
-
MD5
ba07e86ce5bccbb4a9a9cdafef15f697
-
SHA1
f0a4f538bfcd9138b195ca0a2b1e8939d8c79310
-
SHA256
aa04e7d4e6e10f7ec618631a812d0f7941cc43f1fcad2992d20c86831bde9161
-
SHA512
4cba5bc48c53928c16cd801f58d0a4cc6e3b8447df0ee6b5aec0ff0b8172b3fb9631c34c7e5baef82c8e4991eee1a2c3d2b8f580028835825ade0deab8ad668a
-
SSDEEP
768:qhngu9Tmmdm3XR1hrNlYgu2O0cxBntsA7p5ULFnbiFJzuI6rwR:wTmmdm3hDrNlxH4l7p5YFnbiFl6rI
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
JaKeIsJaCk1
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2036 MCCodeGenerator.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2036 MCCodeGenerator.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2036 MCCodeGenerator.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 364 wrote to memory of 2036 364 aa04e7d4e6e10f7ec618631a812d0f7941cc43f1fcad2992d20c86831bde9161.exe 26 PID 364 wrote to memory of 2036 364 aa04e7d4e6e10f7ec618631a812d0f7941cc43f1fcad2992d20c86831bde9161.exe 26 PID 364 wrote to memory of 2036 364 aa04e7d4e6e10f7ec618631a812d0f7941cc43f1fcad2992d20c86831bde9161.exe 26
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa04e7d4e6e10f7ec618631a812d0f7941cc43f1fcad2992d20c86831bde9161.exe"C:\Users\Admin\AppData\Local\Temp\aa04e7d4e6e10f7ec618631a812d0f7941cc43f1fcad2992d20c86831bde9161.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Users\Admin\AppData\Roaming\MCCodeGenerator.exe"C:\Users\Admin\AppData\Roaming\MCCodeGenerator.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2036
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5ba07e86ce5bccbb4a9a9cdafef15f697
SHA1f0a4f538bfcd9138b195ca0a2b1e8939d8c79310
SHA256aa04e7d4e6e10f7ec618631a812d0f7941cc43f1fcad2992d20c86831bde9161
SHA5124cba5bc48c53928c16cd801f58d0a4cc6e3b8447df0ee6b5aec0ff0b8172b3fb9631c34c7e5baef82c8e4991eee1a2c3d2b8f580028835825ade0deab8ad668a
-
Filesize
37KB
MD5ba07e86ce5bccbb4a9a9cdafef15f697
SHA1f0a4f538bfcd9138b195ca0a2b1e8939d8c79310
SHA256aa04e7d4e6e10f7ec618631a812d0f7941cc43f1fcad2992d20c86831bde9161
SHA5124cba5bc48c53928c16cd801f58d0a4cc6e3b8447df0ee6b5aec0ff0b8172b3fb9631c34c7e5baef82c8e4991eee1a2c3d2b8f580028835825ade0deab8ad668a