Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
42s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
05/12/2022, 16:12
Static task
static1
Behavioral task
behavioral1
Sample
f0db1d24ff4c6b7a5bf5403728dc7e221c44620af99326075a090d7daaf0056e.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
f0db1d24ff4c6b7a5bf5403728dc7e221c44620af99326075a090d7daaf0056e.exe
Resource
win10v2004-20221111-en
General
-
Target
f0db1d24ff4c6b7a5bf5403728dc7e221c44620af99326075a090d7daaf0056e.exe
-
Size
168KB
-
MD5
84bde147952c733a576987980796f580
-
SHA1
b56dad6e162ea2bf28181a0178597922e417dc40
-
SHA256
f0db1d24ff4c6b7a5bf5403728dc7e221c44620af99326075a090d7daaf0056e
-
SHA512
274c21d858679adca8a3f791d2b16cabf7f7a9af5ae601ebf77bbc081aad89bb8bb1f618fd53f7e8e74bdb1acaaf6706c3cf8bfa91481d33e22e87ce28ada023
-
SSDEEP
3072:TQIURTXJXdMn35l27PZA4Qi1a8njb8aDryvx1tNt+UNNOXXT/8NFfNAP:Tsc3iZZaEn8Er8f0yOHT/0lAP
Malware Config
Signatures
-
Loads dropped DLL 5 IoCs
pid Process 2016 f0db1d24ff4c6b7a5bf5403728dc7e221c44620af99326075a090d7daaf0056e.exe 2016 f0db1d24ff4c6b7a5bf5403728dc7e221c44620af99326075a090d7daaf0056e.exe 828 regsvr32.exe 972 WerFault.exe 972 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 972 828 WerFault.exe 26 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 828 regsvr32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2016 wrote to memory of 828 2016 f0db1d24ff4c6b7a5bf5403728dc7e221c44620af99326075a090d7daaf0056e.exe 26 PID 2016 wrote to memory of 828 2016 f0db1d24ff4c6b7a5bf5403728dc7e221c44620af99326075a090d7daaf0056e.exe 26 PID 2016 wrote to memory of 828 2016 f0db1d24ff4c6b7a5bf5403728dc7e221c44620af99326075a090d7daaf0056e.exe 26 PID 2016 wrote to memory of 828 2016 f0db1d24ff4c6b7a5bf5403728dc7e221c44620af99326075a090d7daaf0056e.exe 26 PID 2016 wrote to memory of 828 2016 f0db1d24ff4c6b7a5bf5403728dc7e221c44620af99326075a090d7daaf0056e.exe 26 PID 2016 wrote to memory of 828 2016 f0db1d24ff4c6b7a5bf5403728dc7e221c44620af99326075a090d7daaf0056e.exe 26 PID 2016 wrote to memory of 828 2016 f0db1d24ff4c6b7a5bf5403728dc7e221c44620af99326075a090d7daaf0056e.exe 26 PID 828 wrote to memory of 972 828 regsvr32.exe 27 PID 828 wrote to memory of 972 828 regsvr32.exe 27 PID 828 wrote to memory of 972 828 regsvr32.exe 27 PID 828 wrote to memory of 972 828 regsvr32.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0db1d24ff4c6b7a5bf5403728dc7e221c44620af99326075a090d7daaf0056e.exe"C:\Users\Admin\AppData\Local\Temp\f0db1d24ff4c6b7a5bf5403728dc7e221c44620af99326075a090d7daaf0056e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\nso3161.tmp\hvlduxmp.dll"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 3123⤵
- Loads dropped DLL
- Program crash
PID:972
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
724KB
MD5c8ba018ed4a06c28657146326151c5d8
SHA165670a104b327629622355be14b1d78de3e2f81f
SHA256ce8e58a59ab8d325618cfd4b144bb327a35e11674b069f76fc43b3696c3a25b5
SHA5122ecf565ed5db63b84197cfebc80adcee84b6c9ccd201c900a9947cafde34ec1bb64a1b166d31363a70f4dc0e52ee3e80e70d64e0ed3d036a8acd39f0a5f4f24e
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
724KB
MD5c8ba018ed4a06c28657146326151c5d8
SHA165670a104b327629622355be14b1d78de3e2f81f
SHA256ce8e58a59ab8d325618cfd4b144bb327a35e11674b069f76fc43b3696c3a25b5
SHA5122ecf565ed5db63b84197cfebc80adcee84b6c9ccd201c900a9947cafde34ec1bb64a1b166d31363a70f4dc0e52ee3e80e70d64e0ed3d036a8acd39f0a5f4f24e
-
Filesize
724KB
MD5c8ba018ed4a06c28657146326151c5d8
SHA165670a104b327629622355be14b1d78de3e2f81f
SHA256ce8e58a59ab8d325618cfd4b144bb327a35e11674b069f76fc43b3696c3a25b5
SHA5122ecf565ed5db63b84197cfebc80adcee84b6c9ccd201c900a9947cafde34ec1bb64a1b166d31363a70f4dc0e52ee3e80e70d64e0ed3d036a8acd39f0a5f4f24e
-
Filesize
724KB
MD5c8ba018ed4a06c28657146326151c5d8
SHA165670a104b327629622355be14b1d78de3e2f81f
SHA256ce8e58a59ab8d325618cfd4b144bb327a35e11674b069f76fc43b3696c3a25b5
SHA5122ecf565ed5db63b84197cfebc80adcee84b6c9ccd201c900a9947cafde34ec1bb64a1b166d31363a70f4dc0e52ee3e80e70d64e0ed3d036a8acd39f0a5f4f24e