Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05/12/2022, 21:32
Static task
static1
Behavioral task
behavioral1
Sample
6bde7cc72b32fe3c972eb50a8b3dfb372b54d04dd42cd8115ee7eb678d91d330.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6bde7cc72b32fe3c972eb50a8b3dfb372b54d04dd42cd8115ee7eb678d91d330.exe
Resource
win10v2004-20220812-en
General
-
Target
6bde7cc72b32fe3c972eb50a8b3dfb372b54d04dd42cd8115ee7eb678d91d330.exe
-
Size
114KB
-
MD5
09945d835a49e69aa6b0c12913f0176e
-
SHA1
df15b07e32658a9b54f6644cae201618e36e3fe0
-
SHA256
6bde7cc72b32fe3c972eb50a8b3dfb372b54d04dd42cd8115ee7eb678d91d330
-
SHA512
2b512d540beddc9385e383e04f442b78f50d769003a9c744c1feafc9443b5c8b2a44636a2c974fb16184cc51f0788134b0ebbfb6fca159ff3ace5935c95e9b8b
-
SSDEEP
1536:Cr7QvQt3WpOck/R3Xz0z2arhTRifCFTuARVpgM+Wf3VkPVfT48Jnit4dXJlVit5y:Cz+92mhTMMJ/cPiq5bViX5kYi2YSc
Malware Config
Signatures
-
Drops file in Drivers directory 3 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\hоsts cmd.exe File opened for modification C:\Windows\system32\drivers\etc\hosts uspsblwbioboxpml.exe File opened for modification C:\Windows\system32\drivers\etc\hosts cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 852 uspsblwbioboxpml.exe -
Loads dropped DLL 4 IoCs
pid Process 1948 6bde7cc72b32fe3c972eb50a8b3dfb372b54d04dd42cd8115ee7eb678d91d330.exe 1948 6bde7cc72b32fe3c972eb50a8b3dfb372b54d04dd42cd8115ee7eb678d91d330.exe 1948 6bde7cc72b32fe3c972eb50a8b3dfb372b54d04dd42cd8115ee7eb678d91d330.exe 1948 6bde7cc72b32fe3c972eb50a8b3dfb372b54d04dd42cd8115ee7eb678d91d330.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 1212 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1212 taskkill.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 852 uspsblwbioboxpml.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1948 wrote to memory of 852 1948 6bde7cc72b32fe3c972eb50a8b3dfb372b54d04dd42cd8115ee7eb678d91d330.exe 27 PID 1948 wrote to memory of 852 1948 6bde7cc72b32fe3c972eb50a8b3dfb372b54d04dd42cd8115ee7eb678d91d330.exe 27 PID 1948 wrote to memory of 852 1948 6bde7cc72b32fe3c972eb50a8b3dfb372b54d04dd42cd8115ee7eb678d91d330.exe 27 PID 1948 wrote to memory of 852 1948 6bde7cc72b32fe3c972eb50a8b3dfb372b54d04dd42cd8115ee7eb678d91d330.exe 27 PID 1948 wrote to memory of 852 1948 6bde7cc72b32fe3c972eb50a8b3dfb372b54d04dd42cd8115ee7eb678d91d330.exe 27 PID 1948 wrote to memory of 852 1948 6bde7cc72b32fe3c972eb50a8b3dfb372b54d04dd42cd8115ee7eb678d91d330.exe 27 PID 1948 wrote to memory of 852 1948 6bde7cc72b32fe3c972eb50a8b3dfb372b54d04dd42cd8115ee7eb678d91d330.exe 27 PID 852 wrote to memory of 2032 852 uspsblwbioboxpml.exe 28 PID 852 wrote to memory of 2032 852 uspsblwbioboxpml.exe 28 PID 852 wrote to memory of 2032 852 uspsblwbioboxpml.exe 28 PID 852 wrote to memory of 2032 852 uspsblwbioboxpml.exe 28 PID 852 wrote to memory of 2032 852 uspsblwbioboxpml.exe 28 PID 852 wrote to memory of 2032 852 uspsblwbioboxpml.exe 28 PID 852 wrote to memory of 2032 852 uspsblwbioboxpml.exe 28 PID 2032 wrote to memory of 1972 2032 cmd.exe 30 PID 2032 wrote to memory of 1972 2032 cmd.exe 30 PID 2032 wrote to memory of 1972 2032 cmd.exe 30 PID 2032 wrote to memory of 1972 2032 cmd.exe 30 PID 2032 wrote to memory of 1972 2032 cmd.exe 30 PID 2032 wrote to memory of 1972 2032 cmd.exe 30 PID 2032 wrote to memory of 1972 2032 cmd.exe 30 PID 2032 wrote to memory of 1212 2032 cmd.exe 31 PID 2032 wrote to memory of 1212 2032 cmd.exe 31 PID 2032 wrote to memory of 1212 2032 cmd.exe 31 PID 2032 wrote to memory of 1212 2032 cmd.exe 31 PID 2032 wrote to memory of 1212 2032 cmd.exe 31 PID 2032 wrote to memory of 1212 2032 cmd.exe 31 PID 2032 wrote to memory of 1212 2032 cmd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\6bde7cc72b32fe3c972eb50a8b3dfb372b54d04dd42cd8115ee7eb678d91d330.exe"C:\Users\Admin\AppData\Local\Temp\6bde7cc72b32fe3c972eb50a8b3dfb372b54d04dd42cd8115ee7eb678d91d330.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Users\Admin\AppData\Local\Temp\uspsblwbioboxpml.exe"C:\Users\Admin\AppData\Local\Temp\uspsblwbioboxpml.exe" htxkwau.bat+2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\cmd.execmd /c htxkwau.bat3⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\chcp.comchcp 8664⤵PID:1972
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "praetorian.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1212
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5f0e2887a64780579b26218394735ade9
SHA1eef146067883cdeace57a98d7675c5e1e5335297
SHA256c7df727c52d9390e4ae0f60d71803a21f2170127664828d1a074c72d81002af2
SHA512115be0ac5a10a9116583a74c0cd430361de3c15e0302e0a5579958a57756e50c1ef99f8728b9d10900dcd83849c9dc742537ad19aeaa68649f131fce9d442e38
-
Filesize
20KB
MD5e2b051be5b31684e39c4f62948f92588
SHA123cb2f7549775bed432dd5320ce27957846a2ec9
SHA256900296d4126449331857e8754bad845ee29d12ecf628c2929d9c2922bba0b0d5
SHA512f310b07673676ee2d9feb58bb09450e228dd06a89d35ce23072d332ba55dfa61cd24492494f604d0af822a83bf82847a0465f56974614a1b6115821bebf29710
-
Filesize
969B
MD588e836e667a4b903cd0b579c4b7d0dc3
SHA1d32f0fcbdd7ce97569b396f27e3a4120a44b0c65
SHA256845dba03ad05979240875c69d01554d91cadb74fe1d97d30949e4f15f7022900
SHA512ecf3851789a66a81994112ac97e48836bb3e3dc5b4d7121020d53df13fa7341b6fb2fae7ee7b82e82976afb91dbeff2996471ac5816e33d2d8954d52cf2c66da
-
Filesize
20KB
MD5e2b051be5b31684e39c4f62948f92588
SHA123cb2f7549775bed432dd5320ce27957846a2ec9
SHA256900296d4126449331857e8754bad845ee29d12ecf628c2929d9c2922bba0b0d5
SHA512f310b07673676ee2d9feb58bb09450e228dd06a89d35ce23072d332ba55dfa61cd24492494f604d0af822a83bf82847a0465f56974614a1b6115821bebf29710
-
Filesize
20KB
MD5e2b051be5b31684e39c4f62948f92588
SHA123cb2f7549775bed432dd5320ce27957846a2ec9
SHA256900296d4126449331857e8754bad845ee29d12ecf628c2929d9c2922bba0b0d5
SHA512f310b07673676ee2d9feb58bb09450e228dd06a89d35ce23072d332ba55dfa61cd24492494f604d0af822a83bf82847a0465f56974614a1b6115821bebf29710
-
Filesize
20KB
MD5e2b051be5b31684e39c4f62948f92588
SHA123cb2f7549775bed432dd5320ce27957846a2ec9
SHA256900296d4126449331857e8754bad845ee29d12ecf628c2929d9c2922bba0b0d5
SHA512f310b07673676ee2d9feb58bb09450e228dd06a89d35ce23072d332ba55dfa61cd24492494f604d0af822a83bf82847a0465f56974614a1b6115821bebf29710
-
Filesize
20KB
MD5e2b051be5b31684e39c4f62948f92588
SHA123cb2f7549775bed432dd5320ce27957846a2ec9
SHA256900296d4126449331857e8754bad845ee29d12ecf628c2929d9c2922bba0b0d5
SHA512f310b07673676ee2d9feb58bb09450e228dd06a89d35ce23072d332ba55dfa61cd24492494f604d0af822a83bf82847a0465f56974614a1b6115821bebf29710