Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    06/12/2022, 07:19

General

  • Target

    ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe

  • Size

    33KB

  • MD5

    5bd3e31b75686582925a42028a137ac9

  • SHA1

    8d5b54634296341e3be68c6b241456e1e2a1c6cf

  • SHA256

    ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70

  • SHA512

    201f4394f1131baa4cca6826e4df15b18a620ea6839f822ce838f90fd5745b0ecc53b59759c5e94bac9ba8f833ed8188039cddbdfe1ba0d6909954d5698c27a3

  • SSDEEP

    768:70ei+ZzUvUtyaKBe49GY3fUn7/yyt78gV+huAQoEz6Uozh:4eRUvU8aK79GyfW8gpz6Uk

Score
8/10

Malware Config

Signatures

  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Unexpected DNS network traffic destination 2 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe
    "C:\Users\Admin\AppData\Local\Temp\ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe"
    1⤵
    • Sets DLL path for service in the registry
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1500
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\EF2C58~1.EXE >> NUL
      2⤵
      • Deletes itself
      PID:1756
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    PID:1404

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \??\c:\windows\SysWOW64\64to32.dll

    Filesize

    68KB

    MD5

    95132e78819ca2b72dc0033c55df15a9

    SHA1

    c4baf68a9078386fccd0d70b44bf483b6c5ac517

    SHA256

    99391f7ae0a3841cb93ba5042b4370315c3351b524a05828c9e10d6908e96247

    SHA512

    9531e2e42b0ca8931420530a1c784d564c9aa10aa36cd8cdc2911b7610ad83afdb02556bf45fcd4a0abd8cc0d21ebfa6850c2cd4c3e40946333a9244f46ae291

  • \Windows\SysWOW64\64to32.dll

    Filesize

    68KB

    MD5

    95132e78819ca2b72dc0033c55df15a9

    SHA1

    c4baf68a9078386fccd0d70b44bf483b6c5ac517

    SHA256

    99391f7ae0a3841cb93ba5042b4370315c3351b524a05828c9e10d6908e96247

    SHA512

    9531e2e42b0ca8931420530a1c784d564c9aa10aa36cd8cdc2911b7610ad83afdb02556bf45fcd4a0abd8cc0d21ebfa6850c2cd4c3e40946333a9244f46ae291

  • memory/1500-54-0x0000000075D71000-0x0000000075D73000-memory.dmp

    Filesize

    8KB

  • memory/1500-59-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB