Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
04/12/2022, 03:05
Static task
static1
Behavioral task
behavioral1
Sample
e770e0c3d4ceed1562df98de7eb4a72728be2e71d8935a55ebe531bffd57c552.exe
Resource
win7-20220901-en
General
-
Target
e770e0c3d4ceed1562df98de7eb4a72728be2e71d8935a55ebe531bffd57c552.exe
-
Size
1.4MB
-
MD5
e5aaaac2fcd910193e0e68491a549308
-
SHA1
41a38a84a97599310e5cdacf04b16da6aded7697
-
SHA256
e770e0c3d4ceed1562df98de7eb4a72728be2e71d8935a55ebe531bffd57c552
-
SHA512
cd39febbfed12dda594cd057c21c88f0a2834fed9c5efeac6b0066dd39a4111c1b10343c23bfa8bb317fbf9d22e700cbd3ebefc31ebb56dcbe12be02983b58f0
-
SSDEEP
24576:6iC8pRuPliuuYmjBgtojHLJR533s4GoBg80IaKqVrS7i0ZESx3Y:6YpUPliuuYYutoTLJR533SoBg8bqxSJG
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1832 07697bc2a6aa4b1abb4ac54fe08d5a42.exe 888 a4fe0657ae664d0daa7527c3786c1ed8.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1832 set thread context of 1652 1832 07697bc2a6aa4b1abb4ac54fe08d5a42.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 vbc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString vbc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier vbc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier vbc.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier vbc.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1652 vbc.exe Token: SeSecurityPrivilege 1652 vbc.exe Token: SeTakeOwnershipPrivilege 1652 vbc.exe Token: SeLoadDriverPrivilege 1652 vbc.exe Token: SeSystemProfilePrivilege 1652 vbc.exe Token: SeSystemtimePrivilege 1652 vbc.exe Token: SeProfSingleProcessPrivilege 1652 vbc.exe Token: SeIncBasePriorityPrivilege 1652 vbc.exe Token: SeCreatePagefilePrivilege 1652 vbc.exe Token: SeBackupPrivilege 1652 vbc.exe Token: SeRestorePrivilege 1652 vbc.exe Token: SeShutdownPrivilege 1652 vbc.exe Token: SeDebugPrivilege 1652 vbc.exe Token: SeSystemEnvironmentPrivilege 1652 vbc.exe Token: SeChangeNotifyPrivilege 1652 vbc.exe Token: SeRemoteShutdownPrivilege 1652 vbc.exe Token: SeUndockPrivilege 1652 vbc.exe Token: SeManageVolumePrivilege 1652 vbc.exe Token: SeImpersonatePrivilege 1652 vbc.exe Token: SeCreateGlobalPrivilege 1652 vbc.exe Token: 33 1652 vbc.exe Token: 34 1652 vbc.exe Token: 35 1652 vbc.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1064 wrote to memory of 1832 1064 e770e0c3d4ceed1562df98de7eb4a72728be2e71d8935a55ebe531bffd57c552.exe 27 PID 1064 wrote to memory of 1832 1064 e770e0c3d4ceed1562df98de7eb4a72728be2e71d8935a55ebe531bffd57c552.exe 27 PID 1064 wrote to memory of 1832 1064 e770e0c3d4ceed1562df98de7eb4a72728be2e71d8935a55ebe531bffd57c552.exe 27 PID 1064 wrote to memory of 1832 1064 e770e0c3d4ceed1562df98de7eb4a72728be2e71d8935a55ebe531bffd57c552.exe 27 PID 1064 wrote to memory of 888 1064 e770e0c3d4ceed1562df98de7eb4a72728be2e71d8935a55ebe531bffd57c552.exe 28 PID 1064 wrote to memory of 888 1064 e770e0c3d4ceed1562df98de7eb4a72728be2e71d8935a55ebe531bffd57c552.exe 28 PID 1064 wrote to memory of 888 1064 e770e0c3d4ceed1562df98de7eb4a72728be2e71d8935a55ebe531bffd57c552.exe 28 PID 1064 wrote to memory of 888 1064 e770e0c3d4ceed1562df98de7eb4a72728be2e71d8935a55ebe531bffd57c552.exe 28 PID 1832 wrote to memory of 1652 1832 07697bc2a6aa4b1abb4ac54fe08d5a42.exe 29 PID 1832 wrote to memory of 1652 1832 07697bc2a6aa4b1abb4ac54fe08d5a42.exe 29 PID 1832 wrote to memory of 1652 1832 07697bc2a6aa4b1abb4ac54fe08d5a42.exe 29 PID 1832 wrote to memory of 1652 1832 07697bc2a6aa4b1abb4ac54fe08d5a42.exe 29 PID 1832 wrote to memory of 1652 1832 07697bc2a6aa4b1abb4ac54fe08d5a42.exe 29 PID 1832 wrote to memory of 1652 1832 07697bc2a6aa4b1abb4ac54fe08d5a42.exe 29 PID 1832 wrote to memory of 1652 1832 07697bc2a6aa4b1abb4ac54fe08d5a42.exe 29 PID 1832 wrote to memory of 1652 1832 07697bc2a6aa4b1abb4ac54fe08d5a42.exe 29 PID 1832 wrote to memory of 1652 1832 07697bc2a6aa4b1abb4ac54fe08d5a42.exe 29 PID 1832 wrote to memory of 1652 1832 07697bc2a6aa4b1abb4ac54fe08d5a42.exe 29 PID 1832 wrote to memory of 1652 1832 07697bc2a6aa4b1abb4ac54fe08d5a42.exe 29 PID 1832 wrote to memory of 1652 1832 07697bc2a6aa4b1abb4ac54fe08d5a42.exe 29 PID 1832 wrote to memory of 1652 1832 07697bc2a6aa4b1abb4ac54fe08d5a42.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\e770e0c3d4ceed1562df98de7eb4a72728be2e71d8935a55ebe531bffd57c552.exe"C:\Users\Admin\AppData\Local\Temp\e770e0c3d4ceed1562df98de7eb4a72728be2e71d8935a55ebe531bffd57c552.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Users\Admin\AppData\Local\Temp\07697bc2a6aa4b1abb4ac54fe08d5a42.exe"C:\Users\Admin\AppData\Local\Temp\07697bc2a6aa4b1abb4ac54fe08d5a42.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
-
C:\Users\Admin\AppData\Local\Temp\a4fe0657ae664d0daa7527c3786c1ed8.exe"C:\Users\Admin\AppData\Local\Temp\a4fe0657ae664d0daa7527c3786c1ed8.exe"2⤵
- Executes dropped EXE
PID:888
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
947KB
MD54765736a08a7eb356a47b46b296089a3
SHA1a9b7293c9c976fb7b63b0b194742779df8bd9c26
SHA256fe6dc4d190ee5fd064e80b35391706fbe7dbf262c4e4bd5ec1f1d43206d788df
SHA5129f32c4f06fc1e85303ba5c041dd434933945afa66c205d662d1ca406ffb8dfb42ebc08fee696f9c2521dbd85143f1de559afa4a7dbfddf33330de4bf00a9d0d8
-
Filesize
947KB
MD54765736a08a7eb356a47b46b296089a3
SHA1a9b7293c9c976fb7b63b0b194742779df8bd9c26
SHA256fe6dc4d190ee5fd064e80b35391706fbe7dbf262c4e4bd5ec1f1d43206d788df
SHA5129f32c4f06fc1e85303ba5c041dd434933945afa66c205d662d1ca406ffb8dfb42ebc08fee696f9c2521dbd85143f1de559afa4a7dbfddf33330de4bf00a9d0d8
-
Filesize
188KB
MD567fc3caef08bd36a362bafc15d7a363b
SHA1797f9e84a63b2d18656a6a9bd8794d25ffe1921b
SHA256dddc5b4f3b43ec0aad7c36d97df3d6206356e1eae709644db014a5d4a26cd495
SHA51231075cbbf21f1f4b4f3f5c52434e7856ea3c789760d793e982e31c0262d81ba00afc7bc7e17ab285ae2251d4848d9c6f77f9b8d981555006b7bc8d13628a3cce
-
Filesize
188KB
MD567fc3caef08bd36a362bafc15d7a363b
SHA1797f9e84a63b2d18656a6a9bd8794d25ffe1921b
SHA256dddc5b4f3b43ec0aad7c36d97df3d6206356e1eae709644db014a5d4a26cd495
SHA51231075cbbf21f1f4b4f3f5c52434e7856ea3c789760d793e982e31c0262d81ba00afc7bc7e17ab285ae2251d4848d9c6f77f9b8d981555006b7bc8d13628a3cce