Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06/12/2022, 10:10
Static task
static1
Behavioral task
behavioral1
Sample
984d0e395d8d16609eb127357acf8663972fb4c9c252bc5534b6dfc5fd874589.exe
Resource
win7-20220812-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
984d0e395d8d16609eb127357acf8663972fb4c9c252bc5534b6dfc5fd874589.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
984d0e395d8d16609eb127357acf8663972fb4c9c252bc5534b6dfc5fd874589.exe
-
Size
24KB
-
MD5
b7238e895dacb08dc02cc9fffe8d6ae6
-
SHA1
50dc839b70238b7978172fad5da7decc1a3670af
-
SHA256
984d0e395d8d16609eb127357acf8663972fb4c9c252bc5534b6dfc5fd874589
-
SHA512
058c5555b3dd12040b232f87ab8786f5c343ec3a2f338cc2d7f9c0116e648e1d85d59265281a37ca40a7b4d3fe9bdb808a40d9339f52332909a9643fe00cd213
-
SSDEEP
384:GFMhenvo5s+k2abxKHBRZkZTlzOPRlDA/dUIC3RYAdi25M7S/2oEm:oMhyQa2abxKHBRZkZxSHL3tdi25aE2lm
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1628 bot.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\bot.exe 984d0e395d8d16609eb127357acf8663972fb4c9c252bc5534b6dfc5fd874589.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1628 bot.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1788 984d0e395d8d16609eb127357acf8663972fb4c9c252bc5534b6dfc5fd874589.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1788 wrote to memory of 1628 1788 984d0e395d8d16609eb127357acf8663972fb4c9c252bc5534b6dfc5fd874589.exe 27 PID 1788 wrote to memory of 1628 1788 984d0e395d8d16609eb127357acf8663972fb4c9c252bc5534b6dfc5fd874589.exe 27 PID 1788 wrote to memory of 1628 1788 984d0e395d8d16609eb127357acf8663972fb4c9c252bc5534b6dfc5fd874589.exe 27 PID 1788 wrote to memory of 1628 1788 984d0e395d8d16609eb127357acf8663972fb4c9c252bc5534b6dfc5fd874589.exe 27 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15 PID 1628 wrote to memory of 1380 1628 bot.exe 15
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1380
-
C:\Users\Admin\AppData\Local\Temp\984d0e395d8d16609eb127357acf8663972fb4c9c252bc5534b6dfc5fd874589.exe"C:\Users\Admin\AppData\Local\Temp\984d0e395d8d16609eb127357acf8663972fb4c9c252bc5534b6dfc5fd874589.exe"2⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\bot.exe"C:\Windows\bot.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1628
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5a58bf9fc0d40be326f68e2ea2c27a6a0
SHA1d6e9084dbf3aa6c0d3aea737e4fa65488ac6e5de
SHA25698dcb2580c7de1860f30c119ad12a8986578eee1b1b6925ae8e718709992c4d5
SHA51240419d6f5cc64fe21c6c23ce8306318b68801e17dce703948e23c2f0600f890d92e2a674f501dd36b6774ac0f41ad436da0f1f199ff2724f4a324a99f04e7182