Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/12/2022, 15:16
Behavioral task
behavioral1
Sample
a7140dc76632fd7de60b4f83b0be552774b4f71ab58d215a99b905d3fb258cc3.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a7140dc76632fd7de60b4f83b0be552774b4f71ab58d215a99b905d3fb258cc3.exe
Resource
win10v2004-20220812-en
General
-
Target
a7140dc76632fd7de60b4f83b0be552774b4f71ab58d215a99b905d3fb258cc3.exe
-
Size
2.2MB
-
MD5
e598450e72082c9e7456abbc5ec2792a
-
SHA1
65b004025ac5aa0210db8037ffe7315df2ab33c1
-
SHA256
a7140dc76632fd7de60b4f83b0be552774b4f71ab58d215a99b905d3fb258cc3
-
SHA512
3f83e537fa387d536d6a58c95230c1d78494123e5dcfa964181108a27bbed865427e168c7cb78f94a1bef26a7f36a564a8cbc655c147e865158c360d112352a2
-
SSDEEP
12288:x10P7S7UgCDBR+RM42znzqzsY6hCyTyc8J97gqSBSrfR6IoSBIp9Z+4/rHAuFoeB:gqSBSrfR6KUZ+4D7Foe27wATj0uu
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 816 b2e.exe -
resource yara_rule behavioral1/memory/1032-60-0x0000000000400000-0x0000000000628000-memory.dmp upx -
Loads dropped DLL 5 IoCs
pid Process 1032 a7140dc76632fd7de60b4f83b0be552774b4f71ab58d215a99b905d3fb258cc3.exe 1032 a7140dc76632fd7de60b4f83b0be552774b4f71ab58d215a99b905d3fb258cc3.exe 872 WerFault.exe 872 WerFault.exe 872 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 872 816 WerFault.exe 28 -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1032 wrote to memory of 816 1032 a7140dc76632fd7de60b4f83b0be552774b4f71ab58d215a99b905d3fb258cc3.exe 28 PID 1032 wrote to memory of 816 1032 a7140dc76632fd7de60b4f83b0be552774b4f71ab58d215a99b905d3fb258cc3.exe 28 PID 1032 wrote to memory of 816 1032 a7140dc76632fd7de60b4f83b0be552774b4f71ab58d215a99b905d3fb258cc3.exe 28 PID 1032 wrote to memory of 816 1032 a7140dc76632fd7de60b4f83b0be552774b4f71ab58d215a99b905d3fb258cc3.exe 28 PID 816 wrote to memory of 872 816 b2e.exe 29 PID 816 wrote to memory of 872 816 b2e.exe 29 PID 816 wrote to memory of 872 816 b2e.exe 29 PID 816 wrote to memory of 872 816 b2e.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7140dc76632fd7de60b4f83b0be552774b4f71ab58d215a99b905d3fb258cc3.exe"C:\Users\Admin\AppData\Local\Temp\a7140dc76632fd7de60b4f83b0be552774b4f71ab58d215a99b905d3fb258cc3.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\F049.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\F049.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\F049.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\a7140dc76632fd7de60b4f83b0be552774b4f71ab58d215a99b905d3fb258cc3.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 1243⤵
- Loads dropped DLL
- Program crash
PID:872
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD547e45b199565c2f2d597b2702d013a3a
SHA1fd2fbc0879d23470a60ce08d8843174d02cb3a94
SHA25668d672fa81a2138adc21556cb8110ad245d4ede355e65640d69c183786331de9
SHA5121010648969c682213bc1dd27e62b2a03da5509ab2c45e167f5b5926419b69d28f5f5b1568a4e2f53b18b0b00f85dc831bc5aeb8e9e368309ce52f1b46f7843a1
-
Filesize
1.3MB
MD547e45b199565c2f2d597b2702d013a3a
SHA1fd2fbc0879d23470a60ce08d8843174d02cb3a94
SHA25668d672fa81a2138adc21556cb8110ad245d4ede355e65640d69c183786331de9
SHA5121010648969c682213bc1dd27e62b2a03da5509ab2c45e167f5b5926419b69d28f5f5b1568a4e2f53b18b0b00f85dc831bc5aeb8e9e368309ce52f1b46f7843a1
-
Filesize
1.3MB
MD547e45b199565c2f2d597b2702d013a3a
SHA1fd2fbc0879d23470a60ce08d8843174d02cb3a94
SHA25668d672fa81a2138adc21556cb8110ad245d4ede355e65640d69c183786331de9
SHA5121010648969c682213bc1dd27e62b2a03da5509ab2c45e167f5b5926419b69d28f5f5b1568a4e2f53b18b0b00f85dc831bc5aeb8e9e368309ce52f1b46f7843a1
-
Filesize
1.3MB
MD547e45b199565c2f2d597b2702d013a3a
SHA1fd2fbc0879d23470a60ce08d8843174d02cb3a94
SHA25668d672fa81a2138adc21556cb8110ad245d4ede355e65640d69c183786331de9
SHA5121010648969c682213bc1dd27e62b2a03da5509ab2c45e167f5b5926419b69d28f5f5b1568a4e2f53b18b0b00f85dc831bc5aeb8e9e368309ce52f1b46f7843a1
-
Filesize
1.3MB
MD547e45b199565c2f2d597b2702d013a3a
SHA1fd2fbc0879d23470a60ce08d8843174d02cb3a94
SHA25668d672fa81a2138adc21556cb8110ad245d4ede355e65640d69c183786331de9
SHA5121010648969c682213bc1dd27e62b2a03da5509ab2c45e167f5b5926419b69d28f5f5b1568a4e2f53b18b0b00f85dc831bc5aeb8e9e368309ce52f1b46f7843a1
-
Filesize
1.3MB
MD547e45b199565c2f2d597b2702d013a3a
SHA1fd2fbc0879d23470a60ce08d8843174d02cb3a94
SHA25668d672fa81a2138adc21556cb8110ad245d4ede355e65640d69c183786331de9
SHA5121010648969c682213bc1dd27e62b2a03da5509ab2c45e167f5b5926419b69d28f5f5b1568a4e2f53b18b0b00f85dc831bc5aeb8e9e368309ce52f1b46f7843a1