Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
06/12/2022, 07:19
Behavioral task
behavioral1
Sample
ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe
Resource
win10v2004-20220901-en
General
-
Target
ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe
-
Size
33KB
-
MD5
5bd3e31b75686582925a42028a137ac9
-
SHA1
8d5b54634296341e3be68c6b241456e1e2a1c6cf
-
SHA256
ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70
-
SHA512
201f4394f1131baa4cca6826e4df15b18a620ea6839f822ce838f90fd5745b0ecc53b59759c5e94bac9ba8f833ed8188039cddbdfe1ba0d6909954d5698c27a3
-
SSDEEP
768:70ei+ZzUvUtyaKBe49GY3fUn7/yyt78gV+huAQoEz6Uozh:4eRUvU8aK79GyfW8gpz6Uk
Malware Config
Signatures
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\64to32\Parameters\ServiceDll = "C:\\Windows\\system32\\64to32.dll" ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe -
resource yara_rule behavioral1/memory/1500-59-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Deletes itself 1 IoCs
pid Process 1756 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 1404 svchost.exe -
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 208.67.220.220 Destination IP 208.67.220.220 -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\64to32.dll ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe File opened for modification C:\Windows\SysWOW64\Windowsxp32.ini svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat svchost.exe File opened for modification C:\Windows\SysWOW64\Windowsxp.ini svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-f4-c1-dc-34-de svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1CEB3472-7C1C-4F15-A73B-6DAE5BDFD376}\WpadDecisionTime = e09d21ceaf0cd901 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1CEB3472-7C1C-4F15-A73B-6DAE5BDFD376}\WpadDecision = "0" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-f4-c1-dc-34-de\WpadDecision = "0" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1CEB3472-7C1C-4F15-A73B-6DAE5BDFD376}\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1CEB3472-7C1C-4F15-A73B-6DAE5BDFD376} svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1CEB3472-7C1C-4F15-A73B-6DAE5BDFD376}\WpadNetworkName = "Network 2" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1CEB3472-7C1C-4F15-A73B-6DAE5BDFD376}\f6-f4-c1-dc-34-de svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-f4-c1-dc-34-de\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-f4-c1-dc-34-de\WpadDecisionTime = e09d21ceaf0cd901 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
pid Process 1500 ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe 1500 ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe 1500 ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe 1500 ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe 1404 svchost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1500 wrote to memory of 1756 1500 ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe 28 PID 1500 wrote to memory of 1756 1500 ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe 28 PID 1500 wrote to memory of 1756 1500 ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe 28 PID 1500 wrote to memory of 1756 1500 ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe"C:\Users\Admin\AppData\Local\Temp\ef2c5839ce475f1761e5a8a0113cd5c1c6a91b27b3176bcefeaacb086cda4a70.exe"1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\EF2C58~1.EXE >> NUL2⤵
- Deletes itself
PID:1756
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1404
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD595132e78819ca2b72dc0033c55df15a9
SHA1c4baf68a9078386fccd0d70b44bf483b6c5ac517
SHA25699391f7ae0a3841cb93ba5042b4370315c3351b524a05828c9e10d6908e96247
SHA5129531e2e42b0ca8931420530a1c784d564c9aa10aa36cd8cdc2911b7610ad83afdb02556bf45fcd4a0abd8cc0d21ebfa6850c2cd4c3e40946333a9244f46ae291
-
Filesize
68KB
MD595132e78819ca2b72dc0033c55df15a9
SHA1c4baf68a9078386fccd0d70b44bf483b6c5ac517
SHA25699391f7ae0a3841cb93ba5042b4370315c3351b524a05828c9e10d6908e96247
SHA5129531e2e42b0ca8931420530a1c784d564c9aa10aa36cd8cdc2911b7610ad83afdb02556bf45fcd4a0abd8cc0d21ebfa6850c2cd4c3e40946333a9244f46ae291