Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
201s -
max time network
109s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06/12/2022, 11:31
Static task
static1
Behavioral task
behavioral1
Sample
a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe
Resource
win10v2004-20220812-en
General
-
Target
a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe
-
Size
52KB
-
MD5
f3bb66276e7ac3a94edc1a9a9ca53c37
-
SHA1
e2f6fec017026e5563398fb8495ce646868e302b
-
SHA256
a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde
-
SHA512
9cd768523c75074fa4b4b4f99d1548c160a7f5fb87d20b28043e5bb4cca9ab4496aa0ed643b6f12c6f75b59565df4bda8fd9c7fd5e28a7d9327384447f5b58d8
-
SSDEEP
768:GSnjtx4xj1NVf84XWWJtvdvpofMB9pXJXHMXxTIeRtYU7:1ExRrft3CaBsBTIefR7
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1748 winlogon.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\winlogon.exe" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\winlogon.exe" winlogon.exe -
Drops autorun.inf file 1 TTPs 26 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification D:\autorun.inf winlogon.exe File opened for modification \??\E:\autorun.inf winlogon.exe File opened for modification \??\I:\autorun.inf winlogon.exe File opened for modification \??\K:\autorun.inf winlogon.exe File opened for modification \??\P:\autorun.inf winlogon.exe File opened for modification \??\Q:\autorun.inf winlogon.exe File opened for modification \??\S:\autorun.inf winlogon.exe File opened for modification \??\B:\autorun.inf winlogon.exe File opened for modification \??\H:\autorun.inf winlogon.exe File opened for modification \??\J:\autorun.inf winlogon.exe File opened for modification \??\X:\autorun.inf winlogon.exe File opened for modification \??\Y:\autorun.inf winlogon.exe File opened for modification \??\W:\autorun.inf winlogon.exe File opened for modification \??\A:\autorun.inf winlogon.exe File opened for modification C:\autorun.inf winlogon.exe File opened for modification \??\F:\autorun.inf winlogon.exe File opened for modification \??\G:\autorun.inf winlogon.exe File opened for modification \??\N:\autorun.inf winlogon.exe File opened for modification \??\O:\autorun.inf winlogon.exe File opened for modification \??\V:\autorun.inf winlogon.exe File opened for modification \??\Z:\autorun.inf winlogon.exe File opened for modification \??\L:\autorun.inf winlogon.exe File opened for modification \??\M:\autorun.inf winlogon.exe File opened for modification \??\R:\autorun.inf winlogon.exe File opened for modification \??\T:\autorun.inf winlogon.exe File opened for modification \??\U:\autorun.inf winlogon.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\winlogon.exe a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe File opened for modification C:\Windows\winlogon.exe a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe File created C:\Windows\winlogon.exe winlogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe 1748 winlogon.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1676 a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe 1676 a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe 1748 winlogon.exe 1748 winlogon.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1676 wrote to memory of 1748 1676 a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe 28 PID 1676 wrote to memory of 1748 1676 a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe 28 PID 1676 wrote to memory of 1748 1676 a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe 28 PID 1676 wrote to memory of 1748 1676 a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe"C:\Users\Admin\AppData\Local\Temp\a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\winlogon.exe"C:\Windows\winlogon.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1748
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD5f3bb66276e7ac3a94edc1a9a9ca53c37
SHA1e2f6fec017026e5563398fb8495ce646868e302b
SHA256a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde
SHA5129cd768523c75074fa4b4b4f99d1548c160a7f5fb87d20b28043e5bb4cca9ab4496aa0ed643b6f12c6f75b59565df4bda8fd9c7fd5e28a7d9327384447f5b58d8
-
Filesize
52KB
MD5f3bb66276e7ac3a94edc1a9a9ca53c37
SHA1e2f6fec017026e5563398fb8495ce646868e302b
SHA256a30153637e0ae407377f15dc4f2c809cbfb0b6f866d2a490db2281df24406cde
SHA5129cd768523c75074fa4b4b4f99d1548c160a7f5fb87d20b28043e5bb4cca9ab4496aa0ed643b6f12c6f75b59565df4bda8fd9c7fd5e28a7d9327384447f5b58d8