Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
21s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06/12/2022, 00:35
Static task
static1
Behavioral task
behavioral1
Sample
bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce.exe
Resource
win10v2004-20221111-en
General
-
Target
bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce.exe
-
Size
8.6MB
-
MD5
551f83e52d985497f7601601d95b85bd
-
SHA1
1303d690f2089a91f5669e094ea2562e101e3b69
-
SHA256
bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce
-
SHA512
6b4a24955e9ac3b13c0c0aa8587b3e3559342000f064149c3216c8eb9219d7e763aacddb2448aa7ce2071ac0c92a7bb127b710fff883426358ef18429078a9b2
-
SSDEEP
98304:J/tgS++cwcaS+/t3S++cwcaS+/tJS++cwcaS+/tcS++cwcaS+/t/tRcwcaS+/tBq:nJAiFVF6JAiFVs6JAiFV
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1480 notpad.exe 464 tmp7126687.exe 1532 tmp7127997.exe -
resource yara_rule behavioral1/files/0x0008000000013a0c-55.dat upx behavioral1/files/0x0008000000013a0c-58.dat upx behavioral1/files/0x0008000000013a0c-56.dat upx behavioral1/files/0x0008000000013a0c-59.dat upx behavioral1/memory/1480-63-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1480-73-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/files/0x000a0000000133af-70.dat upx -
Loads dropped DLL 5 IoCs
pid Process 1472 bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce.exe 1472 bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce.exe 1480 notpad.exe 1480 notpad.exe 1480 notpad.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\fsb.tmp bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce.exe File created C:\Windows\SysWOW64\notpad.exe bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce.exe File created C:\Windows\SysWOW64\notpad.exe- bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce.exe File opened for modification C:\Windows\SysWOW64\fsb.stb tmp7126687.exe File opened for modification C:\Windows\SysWOW64\fsb.tmp tmp7126687.exe File created C:\Windows\SysWOW64\notpad.exe tmp7126687.exe File created C:\Windows\SysWOW64\fsb.stb bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce.exe File created C:\Windows\SysWOW64\notpad.exe- tmp7126687.exe File created C:\Windows\SysWOW64\fsb.tmp bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp7126687.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1472 wrote to memory of 1480 1472 bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce.exe 28 PID 1472 wrote to memory of 1480 1472 bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce.exe 28 PID 1472 wrote to memory of 1480 1472 bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce.exe 28 PID 1472 wrote to memory of 1480 1472 bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce.exe 28 PID 1480 wrote to memory of 464 1480 notpad.exe 29 PID 1480 wrote to memory of 464 1480 notpad.exe 29 PID 1480 wrote to memory of 464 1480 notpad.exe 29 PID 1480 wrote to memory of 464 1480 notpad.exe 29 PID 1480 wrote to memory of 1532 1480 notpad.exe 30 PID 1480 wrote to memory of 1532 1480 notpad.exe 30 PID 1480 wrote to memory of 1532 1480 notpad.exe 30 PID 1480 wrote to memory of 1532 1480 notpad.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce.exe"C:\Users\Admin\AppData\Local\Temp\bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Users\Admin\AppData\Local\Temp\tmp7126687.exeC:\Users\Admin\AppData\Local\Temp\tmp7126687.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:464
-
-
C:\Users\Admin\AppData\Local\Temp\tmp7127997.exeC:\Users\Admin\AppData\Local\Temp\tmp7127997.exe3⤵
- Executes dropped EXE
PID:1532
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.6MB
MD5551f83e52d985497f7601601d95b85bd
SHA11303d690f2089a91f5669e094ea2562e101e3b69
SHA256bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce
SHA5126b4a24955e9ac3b13c0c0aa8587b3e3559342000f064149c3216c8eb9219d7e763aacddb2448aa7ce2071ac0c92a7bb127b710fff883426358ef18429078a9b2
-
Filesize
8.6MB
MD5551f83e52d985497f7601601d95b85bd
SHA11303d690f2089a91f5669e094ea2562e101e3b69
SHA256bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce
SHA5126b4a24955e9ac3b13c0c0aa8587b3e3559342000f064149c3216c8eb9219d7e763aacddb2448aa7ce2071ac0c92a7bb127b710fff883426358ef18429078a9b2
-
Filesize
175KB
MD5d378bffb70923139d6a4f546864aa61c
SHA1f00aa51c2ed8b2f656318fdc01ee1cf5441011a4
SHA256c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102
SHA5127c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663
-
Filesize
10KB
MD5280b12e4717c3a7cf2c39561b30bc9e6
SHA18bf777a28c25793357ce8305bf8b01987bc4d9f2
SHA256f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc
SHA512861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7
-
Filesize
8.6MB
MD5551f83e52d985497f7601601d95b85bd
SHA11303d690f2089a91f5669e094ea2562e101e3b69
SHA256bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce
SHA5126b4a24955e9ac3b13c0c0aa8587b3e3559342000f064149c3216c8eb9219d7e763aacddb2448aa7ce2071ac0c92a7bb127b710fff883426358ef18429078a9b2
-
Filesize
8.8MB
MD54663bee45f91039d1cb064e25da357ef
SHA159b892ee11e017bcee472c919f301b88e8270619
SHA256078ad4b8a228f5b1f6a6d3db85472feb2344737052f7e03ea3fa7bdc163bf687
SHA512fec95a47e02ea223afb5614adfc1c910f86ae048c998e8dd80929f80e175c5b559da28868cf6700b08d8517c6c6d436f3fdf79a494ca6ea9a4cd278cae27b08c
-
Filesize
8.8MB
MD54663bee45f91039d1cb064e25da357ef
SHA159b892ee11e017bcee472c919f301b88e8270619
SHA256078ad4b8a228f5b1f6a6d3db85472feb2344737052f7e03ea3fa7bdc163bf687
SHA512fec95a47e02ea223afb5614adfc1c910f86ae048c998e8dd80929f80e175c5b559da28868cf6700b08d8517c6c6d436f3fdf79a494ca6ea9a4cd278cae27b08c
-
Filesize
8.6MB
MD5551f83e52d985497f7601601d95b85bd
SHA11303d690f2089a91f5669e094ea2562e101e3b69
SHA256bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce
SHA5126b4a24955e9ac3b13c0c0aa8587b3e3559342000f064149c3216c8eb9219d7e763aacddb2448aa7ce2071ac0c92a7bb127b710fff883426358ef18429078a9b2
-
Filesize
8.6MB
MD5551f83e52d985497f7601601d95b85bd
SHA11303d690f2089a91f5669e094ea2562e101e3b69
SHA256bfeac5cd6f52cad74b210ee3af12bda832efff686ae68dc84fa722b8b957b6ce
SHA5126b4a24955e9ac3b13c0c0aa8587b3e3559342000f064149c3216c8eb9219d7e763aacddb2448aa7ce2071ac0c92a7bb127b710fff883426358ef18429078a9b2
-
Filesize
175KB
MD5d378bffb70923139d6a4f546864aa61c
SHA1f00aa51c2ed8b2f656318fdc01ee1cf5441011a4
SHA256c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102
SHA5127c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663
-
Filesize
8.8MB
MD54663bee45f91039d1cb064e25da357ef
SHA159b892ee11e017bcee472c919f301b88e8270619
SHA256078ad4b8a228f5b1f6a6d3db85472feb2344737052f7e03ea3fa7bdc163bf687
SHA512fec95a47e02ea223afb5614adfc1c910f86ae048c998e8dd80929f80e175c5b559da28868cf6700b08d8517c6c6d436f3fdf79a494ca6ea9a4cd278cae27b08c
-
Filesize
8.8MB
MD54663bee45f91039d1cb064e25da357ef
SHA159b892ee11e017bcee472c919f301b88e8270619
SHA256078ad4b8a228f5b1f6a6d3db85472feb2344737052f7e03ea3fa7bdc163bf687
SHA512fec95a47e02ea223afb5614adfc1c910f86ae048c998e8dd80929f80e175c5b559da28868cf6700b08d8517c6c6d436f3fdf79a494ca6ea9a4cd278cae27b08c