Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    256s
  • max time network
    352s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    06/12/2022, 09:54

General

  • Target

    d6a6a4672e74518b08455e014b57cc1b3c57d21c0fb61835869498edf1025885.exe

  • Size

    516KB

  • MD5

    bcabfaa80e73c984229f810d47f57e3d

  • SHA1

    6a213bed666b039bf1b9c4218dd1af36cfc8b701

  • SHA256

    d6a6a4672e74518b08455e014b57cc1b3c57d21c0fb61835869498edf1025885

  • SHA512

    f16c42287eced00fd64cbd6594f07a40b3157c3ff961065e80a7852d55e9448964488346dcff12c305a52dfff8513bc695a9ff85448468b4f1ced52322a075f6

  • SSDEEP

    6144:qGFBYR8QaB8F6SXXMf2J1xWOHSCKN2xPazeFwhTqPrABl/djGzK7j3X:qKaR8TBL

Score
6/10

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 41 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d6a6a4672e74518b08455e014b57cc1b3c57d21c0fb61835869498edf1025885.exe
    "C:\Users\Admin\AppData\Local\Temp\d6a6a4672e74518b08455e014b57cc1b3c57d21c0fb61835869498edf1025885.exe"
    1⤵
    • Adds Run key to start application
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1476
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.youtube.com/watch?v=gOO_UqzEc5Y
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1164
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1164 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2008

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    238efa66b46e1320f1452bbb335e83e8

    SHA1

    9d77fed63c7ce91bc62dfe0c1d9c354f04591acb

    SHA256

    cfc1bbbc67d33c03f3a7b57f7e434dd3809c48992f1dcd92f0143ceb3be26ace

    SHA512

    74b881c9b7fe3dcca4687860185d180d7373ea18acb358381f8015bc6015546d7ac067caf3b4e4cc05ecad05775cc81a5b5b12653a5696e66c713e760450b565

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\mlf2v8h\imagestore.dat

    Filesize

    1KB

    MD5

    65c5f1308b1783ab8925407a9cd6f725

    SHA1

    513c12dd7c51ee7b376b9c7037804c9c6bcd11ed

    SHA256

    3167c2a6b6a2937403d48e1101977e469e9c85f1872b7283b7042dc25980db89

    SHA512

    3f88cd884630ab33e320374c7372346dffa054b2e6f20da98bc3ff581b2e1572293d11be61b6e78467cdae6b9295f87b34715b7127e943d67c31ce6dda01b2ab

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2EB6NUAO.txt

    Filesize

    608B

    MD5

    11b8f7dfd60cc40d4c7a424552dd228e

    SHA1

    573303cdccd9b0aaee71bbb3eb52a104e7d5cb1d

    SHA256

    eb3b5f592689413ec79ddb052e4d2644aa0fae557d99640e0d90f031efa0189d

    SHA512

    76b9d9007bdf535247ebe52e2a9537cb200185781889a4b3a660c26cd0ed79233583b3f66d82a295148aa737ebfe27bc4e23f4948ccc199defb0a332632a339c

  • memory/1476-54-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

  • memory/1476-57-0x00000000763D1000-0x00000000763D3000-memory.dmp

    Filesize

    8KB

  • memory/1476-59-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB