Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
56s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06/12/2022, 13:01
Static task
static1
Behavioral task
behavioral1
Sample
304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe
Resource
win10v2004-20220812-en
General
-
Target
304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe
-
Size
184KB
-
MD5
4d36e000b64bf076db39a16e2ed6fcdf
-
SHA1
325887bf4aa370235e6e2ae34faddf56d6143643
-
SHA256
304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5
-
SHA512
205cd35991fc2535ddf618c80ab30abaf1bde509007480ecd77cee5eb941e624ba6b92d5e67fe8e40962d4635181e692cb4f0edcc31c3f2bfa06f7e120209795
-
SSDEEP
3072:9ydJq5oyVzs+h0JI5J0SpUldLS3lgGBd/AkKHBRQ/rPOy9xnnHsGvPwsAvWDA:4W2+tUnoC2/ALhyzpsGvPw6k
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1144 OFFICE~1.EXE -
resource yara_rule behavioral1/files/0x0006000000015c60-54.dat upx behavioral1/files/0x0006000000015c60-56.dat upx behavioral1/files/0x0006000000015c60-58.dat upx behavioral1/files/0x0006000000015c60-59.dat upx behavioral1/files/0x0006000000015c60-60.dat upx behavioral1/files/0x0006000000015c60-61.dat upx behavioral1/memory/1144-63-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral1/memory/1144-71-0x0000000000400000-0x0000000000425000-memory.dmp upx -
Loads dropped DLL 4 IoCs
pid Process 304 304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe 1144 OFFICE~1.EXE 1144 OFFICE~1.EXE 1144 OFFICE~1.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeBackupPrivilege 1452 reg.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 304 wrote to memory of 1144 304 304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe 27 PID 304 wrote to memory of 1144 304 304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe 27 PID 304 wrote to memory of 1144 304 304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe 27 PID 304 wrote to memory of 1144 304 304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe 27 PID 304 wrote to memory of 1144 304 304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe 27 PID 304 wrote to memory of 1144 304 304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe 27 PID 304 wrote to memory of 1144 304 304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe 27 PID 1144 wrote to memory of 2040 1144 OFFICE~1.EXE 28 PID 1144 wrote to memory of 2040 1144 OFFICE~1.EXE 28 PID 1144 wrote to memory of 2040 1144 OFFICE~1.EXE 28 PID 1144 wrote to memory of 2040 1144 OFFICE~1.EXE 28 PID 1144 wrote to memory of 2040 1144 OFFICE~1.EXE 28 PID 1144 wrote to memory of 2040 1144 OFFICE~1.EXE 28 PID 1144 wrote to memory of 2040 1144 OFFICE~1.EXE 28 PID 2040 wrote to memory of 1452 2040 cmd.exe 30 PID 2040 wrote to memory of 1452 2040 cmd.exe 30 PID 2040 wrote to memory of 1452 2040 cmd.exe 30 PID 2040 wrote to memory of 1452 2040 cmd.exe 30 PID 2040 wrote to memory of 1452 2040 cmd.exe 30 PID 2040 wrote to memory of 1452 2040 cmd.exe 30 PID 2040 wrote to memory of 1452 2040 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe"C:\Users\Admin\AppData\Local\Temp\304aad4728eb3a73e3fae493391bcff6313a081c95b77e2d6a0be8edd2c324f5.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OFFICE~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OFFICE~1.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\SaveOffice.cmd" "3⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\reg.exereg save HKLM\SOFTWARE c:\OfficeRegBak.hiv4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1452
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86KB
MD5216ecd0bfdbc552f593f05b9ebe5dbfa
SHA1fe6bb61411801f1a62e133d994455083c5b99820
SHA25696ad52c7bd0add41eef200fbb913d9f79af79357fe6d30214bb1b74a37c8a49b
SHA512da6f0b775c54358f79b5c13f2faf0211841dce41b80c5eacee7402c3af87d60fea6dd79f404947210fd4ab55b0af4baad731397e9f9d45a4e8c0ea07028358bb
-
Filesize
86KB
MD5216ecd0bfdbc552f593f05b9ebe5dbfa
SHA1fe6bb61411801f1a62e133d994455083c5b99820
SHA25696ad52c7bd0add41eef200fbb913d9f79af79357fe6d30214bb1b74a37c8a49b
SHA512da6f0b775c54358f79b5c13f2faf0211841dce41b80c5eacee7402c3af87d60fea6dd79f404947210fd4ab55b0af4baad731397e9f9d45a4e8c0ea07028358bb
-
Filesize
981B
MD5b8f78830dd1782e12b8807aea7384ac2
SHA1bee8e85498a0e0add628bda558dfe652554e0ec4
SHA256c374fabdfe02c9434af163e230d88c34387a461efb6fe251f602a45766dfba35
SHA5123799f6d162bdfc01bad49b22490387c8c71c36bf163bca22748b47e5a48c7b9e4b46c40f94246b08368a972e0ade4c6af0b59a681aeb3f77640fdc7e1d01f4fa
-
Filesize
86KB
MD5216ecd0bfdbc552f593f05b9ebe5dbfa
SHA1fe6bb61411801f1a62e133d994455083c5b99820
SHA25696ad52c7bd0add41eef200fbb913d9f79af79357fe6d30214bb1b74a37c8a49b
SHA512da6f0b775c54358f79b5c13f2faf0211841dce41b80c5eacee7402c3af87d60fea6dd79f404947210fd4ab55b0af4baad731397e9f9d45a4e8c0ea07028358bb
-
Filesize
86KB
MD5216ecd0bfdbc552f593f05b9ebe5dbfa
SHA1fe6bb61411801f1a62e133d994455083c5b99820
SHA25696ad52c7bd0add41eef200fbb913d9f79af79357fe6d30214bb1b74a37c8a49b
SHA512da6f0b775c54358f79b5c13f2faf0211841dce41b80c5eacee7402c3af87d60fea6dd79f404947210fd4ab55b0af4baad731397e9f9d45a4e8c0ea07028358bb
-
Filesize
86KB
MD5216ecd0bfdbc552f593f05b9ebe5dbfa
SHA1fe6bb61411801f1a62e133d994455083c5b99820
SHA25696ad52c7bd0add41eef200fbb913d9f79af79357fe6d30214bb1b74a37c8a49b
SHA512da6f0b775c54358f79b5c13f2faf0211841dce41b80c5eacee7402c3af87d60fea6dd79f404947210fd4ab55b0af4baad731397e9f9d45a4e8c0ea07028358bb
-
Filesize
86KB
MD5216ecd0bfdbc552f593f05b9ebe5dbfa
SHA1fe6bb61411801f1a62e133d994455083c5b99820
SHA25696ad52c7bd0add41eef200fbb913d9f79af79357fe6d30214bb1b74a37c8a49b
SHA512da6f0b775c54358f79b5c13f2faf0211841dce41b80c5eacee7402c3af87d60fea6dd79f404947210fd4ab55b0af4baad731397e9f9d45a4e8c0ea07028358bb