Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    134s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2022, 21:56

General

  • Target

    b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe

  • Size

    368KB

  • MD5

    c766a6bb8dc3988bbaf92dd98be8aa6c

  • SHA1

    f44ae2f9e62f00f0488c52cf913656a1db621457

  • SHA256

    b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314

  • SHA512

    cc4626fb40a4b41af57ae7c1ba32c2228066015eea7fb37b2e2860689756888296129ff0bc64ccdd4783d7923e41254638567f6c10a0331f1aefdb7583444996

  • SSDEEP

    6144:gDCwfG1bnxLERR9sa/6XDCwfG1bnxLERR9sa/6f2:g72bntEL9//6X72bntEL9//6e

Score
10/10

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
  • Adds policy Run key to start application 2 TTPs 6 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry key 1 TTPs 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe
    "C:\Users\Admin\AppData\Local\Temp\b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:532
    • C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      2⤵
      • Modifies registry key
      PID:1748
    • C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1364
      • C:\Users\Admin\AppData\Local\Temp\avscan.exe
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:652
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\windows\W_X_C.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:580
        • C:\windows\hosts.exe
          C:\windows\hosts.exe
          4⤵
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1668
          • C:\Users\Admin\AppData\Local\Temp\avscan.exe
            C:\Users\Admin\AppData\Local\Temp\avscan.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1512
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c c:\windows\W_X_C.bat
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1100
            • C:\windows\hosts.exe
              C:\windows\hosts.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:1008
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
              6⤵
              • Adds policy Run key to start application
              PID:1360
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • Modifies registry key
            PID:472
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • Modifies registry key
            PID:1696
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • Modifies registry key
            PID:676
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • Modifies registry key
            PID:876
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
          4⤵
          • Adds policy Run key to start application
          PID:1076
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:484
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:1588
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:1792
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:1800
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1852
      • C:\windows\hosts.exe
        C:\windows\hosts.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1004
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        3⤵
        • Adds policy Run key to start application
        PID:856

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    784KB

    MD5

    f53333eae5c4b771832d0c3122eaffdb

    SHA1

    665ae2cef2c162c3d39caad2b828dbcc766747f8

    SHA256

    b8ad95293c27dc3363908facc3c03dce0bf717896279bfe3ad7e522aa91e7be4

    SHA512

    92745d98c151c3029e17280ce79f37e46baf5b80687c8efda6daef45cf7921e67626c592aa0211954eba9210d23b4e49c6094460cf0c03ae7e2a7fdaae7608da

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    1.5MB

    MD5

    53d59030ad44049307c364f29493d176

    SHA1

    6ee81506f9673b912f98a895cf8e553936d72532

    SHA256

    f584ff3db11c1a3d014854ca273f03cebc548392c2bd00aeb6311062e004902d

    SHA512

    4a127fbad2289268b0780ffdf085e1b5c4f21fca8d048d8dfa342d857893204108d727c1d20a918b804763542b07224cf00ab0a80bbcb6c059efe8f9a693b139

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    1.8MB

    MD5

    a47f6ff2207a726ed0b428c26e312130

    SHA1

    a1d817841f662b30c446975dfc4a72803c5f3721

    SHA256

    87f0c7fd607ad246df8b8caeb236f1fce5bc20aa0ea12c55cd19c3fc73320d47

    SHA512

    1f1011812bff0d77e9824658f6f3f4f1f364339e364eac51277474f2d560518b17733f1e544f8eb06187e53de73696922fa8ce5e14bb4bbb17f2be2326065943

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    2.2MB

    MD5

    a71472fedec8bfb3f20045f032c2cab1

    SHA1

    419145884e98fb19325ecda900ef53f73a9ab3bb

    SHA256

    d39b19f7b9346c23bca13226a55a27c86b45dd6f08cc7d72adaede90b742ff4a

    SHA512

    278a4d3e706938d0c1fae55a45520748b7872c8a9c1669912f54774ffd6fe7a034896ab638424669758bd9b498e9323370c3b0948feb7a44ea3fab8c081977b2

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    2.9MB

    MD5

    085cb50f582156edafd55565fff69b07

    SHA1

    e973d49dcc2f1991f7f7d1b04dc42634e8d6a2ad

    SHA256

    9187a783ef335e82ee4ace058577fe810909016999e98f39c7335e9c85a9c9b5

    SHA512

    21f60491e842276a347dcb06c00add952d7031e5fa3b4ade90c9b25df5b2ca38dc4d631ac66578bff1b1774d7e9a0c46327f5f2dadd0c29bc0d083ff8f1011a0

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    2.9MB

    MD5

    bfa934087ecf2397e6d19848a778875a

    SHA1

    c0d2741e787be5c716eb9ba0cb25bd4eda3575b0

    SHA256

    758c106a9d7c5114b667dc6b3db406e9bff77a7307b0303a5963b8eb6ca5af7a

    SHA512

    467a9c8ac73e24379b7463397f9cf190c2b7fd8aaaf1a151316893bf0c31c001cae0cd39f0dcd74c4cfd7b52da3c225e31c98ba4c73025e67dbebff85e5d5014

  • C:\Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    368KB

    MD5

    12f9668262bc85c3ca39707e7d457486

    SHA1

    44d3af6487f043980627273a0ccb77c52c95d8ed

    SHA256

    3f30f4a43d50265fa6acb21e6bd9d01dba85bfacaec2e34f166d4bf094eb3f69

    SHA512

    3331d1960d689e88388a90f71873cb02a0d6b0b84dbcff3e123932943ef8cb76b45f99ab22a1f2bb3792d93501b4a1845b1c3ebc6c414e1381354187f0d660e2

  • C:\Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    368KB

    MD5

    12f9668262bc85c3ca39707e7d457486

    SHA1

    44d3af6487f043980627273a0ccb77c52c95d8ed

    SHA256

    3f30f4a43d50265fa6acb21e6bd9d01dba85bfacaec2e34f166d4bf094eb3f69

    SHA512

    3331d1960d689e88388a90f71873cb02a0d6b0b84dbcff3e123932943ef8cb76b45f99ab22a1f2bb3792d93501b4a1845b1c3ebc6c414e1381354187f0d660e2

  • C:\Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    368KB

    MD5

    12f9668262bc85c3ca39707e7d457486

    SHA1

    44d3af6487f043980627273a0ccb77c52c95d8ed

    SHA256

    3f30f4a43d50265fa6acb21e6bd9d01dba85bfacaec2e34f166d4bf094eb3f69

    SHA512

    3331d1960d689e88388a90f71873cb02a0d6b0b84dbcff3e123932943ef8cb76b45f99ab22a1f2bb3792d93501b4a1845b1c3ebc6c414e1381354187f0d660e2

  • C:\Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    368KB

    MD5

    12f9668262bc85c3ca39707e7d457486

    SHA1

    44d3af6487f043980627273a0ccb77c52c95d8ed

    SHA256

    3f30f4a43d50265fa6acb21e6bd9d01dba85bfacaec2e34f166d4bf094eb3f69

    SHA512

    3331d1960d689e88388a90f71873cb02a0d6b0b84dbcff3e123932943ef8cb76b45f99ab22a1f2bb3792d93501b4a1845b1c3ebc6c414e1381354187f0d660e2

  • C:\Windows\W_X_C.vbs

    Filesize

    195B

    MD5

    bb5f0d81909924d647dc29f49c1ab135

    SHA1

    3f69821597fc6e1bf95639ed73729d5b28d30571

    SHA256

    71a89829e758fce2196f5ae1fce0af4110c85b65f1cacbd9d34394843a0e9563

    SHA512

    e4459b6d398a439a6c086e1fbec0ce713c530f8c6ff9237fa080eb3fed35fcb938d88eb70bef32fe5d7853435c3cca5a25c207473239c460633ac30e302765ab

  • C:\Windows\hosts.exe

    Filesize

    368KB

    MD5

    12f9668262bc85c3ca39707e7d457486

    SHA1

    44d3af6487f043980627273a0ccb77c52c95d8ed

    SHA256

    3f30f4a43d50265fa6acb21e6bd9d01dba85bfacaec2e34f166d4bf094eb3f69

    SHA512

    3331d1960d689e88388a90f71873cb02a0d6b0b84dbcff3e123932943ef8cb76b45f99ab22a1f2bb3792d93501b4a1845b1c3ebc6c414e1381354187f0d660e2

  • C:\Windows\hosts.exe

    Filesize

    368KB

    MD5

    6fb95c0ec4d47b03fd3be7fd47a786f1

    SHA1

    a3993a4938b9571c82656f3838b1c05b9dcc10a5

    SHA256

    1c28b21f1ee847ea4ebb0032aaed2d8b8782b1b18e43160498bbc85d95a3760e

    SHA512

    26fe6f3bb50b4b12f85f027032bfd83efe5fb7a1b5389fe2e0d75a9d13dd24b5cd2bb6190a8433d8ac92f142cc97ed0d03b358999a8e85b3f29fb7ec843b873b

  • C:\Windows\hosts.exe

    Filesize

    368KB

    MD5

    6fb95c0ec4d47b03fd3be7fd47a786f1

    SHA1

    a3993a4938b9571c82656f3838b1c05b9dcc10a5

    SHA256

    1c28b21f1ee847ea4ebb0032aaed2d8b8782b1b18e43160498bbc85d95a3760e

    SHA512

    26fe6f3bb50b4b12f85f027032bfd83efe5fb7a1b5389fe2e0d75a9d13dd24b5cd2bb6190a8433d8ac92f142cc97ed0d03b358999a8e85b3f29fb7ec843b873b

  • C:\Windows\hosts.exe

    Filesize

    368KB

    MD5

    6fb95c0ec4d47b03fd3be7fd47a786f1

    SHA1

    a3993a4938b9571c82656f3838b1c05b9dcc10a5

    SHA256

    1c28b21f1ee847ea4ebb0032aaed2d8b8782b1b18e43160498bbc85d95a3760e

    SHA512

    26fe6f3bb50b4b12f85f027032bfd83efe5fb7a1b5389fe2e0d75a9d13dd24b5cd2bb6190a8433d8ac92f142cc97ed0d03b358999a8e85b3f29fb7ec843b873b

  • C:\windows\hosts.exe

    Filesize

    368KB

    MD5

    6fb95c0ec4d47b03fd3be7fd47a786f1

    SHA1

    a3993a4938b9571c82656f3838b1c05b9dcc10a5

    SHA256

    1c28b21f1ee847ea4ebb0032aaed2d8b8782b1b18e43160498bbc85d95a3760e

    SHA512

    26fe6f3bb50b4b12f85f027032bfd83efe5fb7a1b5389fe2e0d75a9d13dd24b5cd2bb6190a8433d8ac92f142cc97ed0d03b358999a8e85b3f29fb7ec843b873b

  • \??\c:\windows\W_X_C.bat

    Filesize

    336B

    MD5

    4db9f8b6175722b62ececeeeba1ce307

    SHA1

    3b3ba8414706e72a6fa19e884a97b87609e11e47

    SHA256

    d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

    SHA512

    1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

  • \Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    368KB

    MD5

    12f9668262bc85c3ca39707e7d457486

    SHA1

    44d3af6487f043980627273a0ccb77c52c95d8ed

    SHA256

    3f30f4a43d50265fa6acb21e6bd9d01dba85bfacaec2e34f166d4bf094eb3f69

    SHA512

    3331d1960d689e88388a90f71873cb02a0d6b0b84dbcff3e123932943ef8cb76b45f99ab22a1f2bb3792d93501b4a1845b1c3ebc6c414e1381354187f0d660e2

  • \Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    368KB

    MD5

    12f9668262bc85c3ca39707e7d457486

    SHA1

    44d3af6487f043980627273a0ccb77c52c95d8ed

    SHA256

    3f30f4a43d50265fa6acb21e6bd9d01dba85bfacaec2e34f166d4bf094eb3f69

    SHA512

    3331d1960d689e88388a90f71873cb02a0d6b0b84dbcff3e123932943ef8cb76b45f99ab22a1f2bb3792d93501b4a1845b1c3ebc6c414e1381354187f0d660e2

  • \Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    368KB

    MD5

    12f9668262bc85c3ca39707e7d457486

    SHA1

    44d3af6487f043980627273a0ccb77c52c95d8ed

    SHA256

    3f30f4a43d50265fa6acb21e6bd9d01dba85bfacaec2e34f166d4bf094eb3f69

    SHA512

    3331d1960d689e88388a90f71873cb02a0d6b0b84dbcff3e123932943ef8cb76b45f99ab22a1f2bb3792d93501b4a1845b1c3ebc6c414e1381354187f0d660e2

  • \Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    368KB

    MD5

    12f9668262bc85c3ca39707e7d457486

    SHA1

    44d3af6487f043980627273a0ccb77c52c95d8ed

    SHA256

    3f30f4a43d50265fa6acb21e6bd9d01dba85bfacaec2e34f166d4bf094eb3f69

    SHA512

    3331d1960d689e88388a90f71873cb02a0d6b0b84dbcff3e123932943ef8cb76b45f99ab22a1f2bb3792d93501b4a1845b1c3ebc6c414e1381354187f0d660e2

  • \Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    368KB

    MD5

    12f9668262bc85c3ca39707e7d457486

    SHA1

    44d3af6487f043980627273a0ccb77c52c95d8ed

    SHA256

    3f30f4a43d50265fa6acb21e6bd9d01dba85bfacaec2e34f166d4bf094eb3f69

    SHA512

    3331d1960d689e88388a90f71873cb02a0d6b0b84dbcff3e123932943ef8cb76b45f99ab22a1f2bb3792d93501b4a1845b1c3ebc6c414e1381354187f0d660e2

  • memory/532-58-0x0000000074CF1000-0x0000000074CF3000-memory.dmp

    Filesize

    8KB

  • memory/532-56-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

    Filesize

    8KB