Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
44s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
06/12/2022, 15:07
Static task
static1
Behavioral task
behavioral1
Sample
8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
Resource
win7-20220901-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
-
Size
360KB
-
MD5
732cdf0b27a32489411c9362859f7632
-
SHA1
2e72e9cd2782328ab35315c0875ff44947f53652
-
SHA256
8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa
-
SHA512
428accb2ad6b1c73b60d26dadbf6c399b5a2744eab1e45cebfd2d392a2d718449a25ca012a83ecc7c0f350819a7a42649b2b0e27ff55edc167d9ed85ec06a86d
-
SSDEEP
6144:Kl8ibNjFefg+sDYwXNlckN7CgJzOGsqB6cd1:4bjFTtGqCgJKfe1
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2000 alg.exe -
Deletes itself 1 IoCs
pid Process 2008 cmd.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: alg.exe File opened (read-only) \??\Q: alg.exe File opened (read-only) \??\R: alg.exe File opened (read-only) \??\O: 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe File opened (read-only) \??\X: alg.exe File opened (read-only) \??\B: 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe File opened (read-only) \??\H: 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe File opened (read-only) \??\M: 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe File opened (read-only) \??\Y: 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe File opened (read-only) \??\I: alg.exe File opened (read-only) \??\J: alg.exe File opened (read-only) \??\A: 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe File opened (read-only) \??\Q: 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe File opened (read-only) \??\K: 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe File opened (read-only) \??\T: 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe File opened (read-only) \??\W: 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe File opened (read-only) \??\L: alg.exe File opened (read-only) \??\S: alg.exe File opened (read-only) \??\U: alg.exe File opened (read-only) \??\V: alg.exe File opened (read-only) \??\I: 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe File opened (read-only) \??\N: 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe File opened (read-only) \??\S: 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe File opened (read-only) \??\Z: 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe File opened (read-only) \??\E: alg.exe File opened (read-only) \??\K: alg.exe File opened (read-only) \??\T: alg.exe File opened (read-only) \??\W: alg.exe File opened (read-only) \??\J: 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe File opened (read-only) \??\Z: alg.exe File opened (read-only) \??\P: 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe File opened (read-only) \??\R: 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe File opened (read-only) \??\U: 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe File opened (read-only) \??\B: alg.exe File opened (read-only) \??\M: alg.exe File opened (read-only) \??\Y: alg.exe File opened (read-only) \??\F: 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe File opened (read-only) \??\G: 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe File opened (read-only) \??\L: 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe File opened (read-only) \??\V: 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe File opened (read-only) \??\X: 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe File opened (read-only) \??\A: alg.exe File opened (read-only) \??\F: alg.exe File opened (read-only) \??\H: alg.exe File opened (read-only) \??\E: 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe File opened (read-only) \??\O: alg.exe File opened (read-only) \??\P: alg.exe File opened (read-only) \??\N: alg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\alg.exe 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe File opened for modification C:\Windows\KBankStar_2022_12_11.log alg.exe File created C:\Windows\alg.exe 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 1408 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe 1408 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe 1408 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe 1408 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe 2000 alg.exe 2000 alg.exe 2000 alg.exe 2000 alg.exe 2000 alg.exe 2000 alg.exe 2000 alg.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1408 wrote to memory of 2000 1408 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe 27 PID 1408 wrote to memory of 2000 1408 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe 27 PID 1408 wrote to memory of 2000 1408 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe 27 PID 1408 wrote to memory of 2000 1408 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe 27 PID 1408 wrote to memory of 2008 1408 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe 28 PID 1408 wrote to memory of 2008 1408 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe 28 PID 1408 wrote to memory of 2008 1408 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe 28 PID 1408 wrote to memory of 2008 1408 8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe"C:\Users\Admin\AppData\Local\Temp\8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe"1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\alg.exeC:\Windows\alg.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2000
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tsrv.bat" "2⤵
- Deletes itself
PID:2008
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
252B
MD5b7ca6bf706fa6b946260f8adc36c5ce4
SHA1d0db6693a7b8011cea8c02668b2dd5575bd08a80
SHA256441a832e064c3eb8eed3fded52f7f7f5c3014180244fcadd2698594760c9a48d
SHA512351d313d00ef791d33eb16d1e0c36f0d553fabd7b079f177de0131a63c2e08adb81644965ec86316b3fe1511f50d0c9887081d5487c581ade719d161606d53d5
-
Filesize
360KB
MD5732cdf0b27a32489411c9362859f7632
SHA12e72e9cd2782328ab35315c0875ff44947f53652
SHA2568b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa
SHA512428accb2ad6b1c73b60d26dadbf6c399b5a2744eab1e45cebfd2d392a2d718449a25ca012a83ecc7c0f350819a7a42649b2b0e27ff55edc167d9ed85ec06a86d