Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    44s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    06/12/2022, 15:07

General

  • Target

    8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe

  • Size

    360KB

  • MD5

    732cdf0b27a32489411c9362859f7632

  • SHA1

    2e72e9cd2782328ab35315c0875ff44947f53652

  • SHA256

    8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa

  • SHA512

    428accb2ad6b1c73b60d26dadbf6c399b5a2744eab1e45cebfd2d392a2d718449a25ca012a83ecc7c0f350819a7a42649b2b0e27ff55edc167d9ed85ec06a86d

  • SSDEEP

    6144:Kl8ibNjFefg+sDYwXNlckN7CgJzOGsqB6cd1:4bjFTtGqCgJKfe1

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe
    "C:\Users\Admin\AppData\Local\Temp\8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1408
    • C:\Windows\alg.exe
      C:\Windows\alg.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      PID:2000
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tsrv.bat" "
      2⤵
      • Deletes itself
      PID:2008

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tsrv.bat

    Filesize

    252B

    MD5

    b7ca6bf706fa6b946260f8adc36c5ce4

    SHA1

    d0db6693a7b8011cea8c02668b2dd5575bd08a80

    SHA256

    441a832e064c3eb8eed3fded52f7f7f5c3014180244fcadd2698594760c9a48d

    SHA512

    351d313d00ef791d33eb16d1e0c36f0d553fabd7b079f177de0131a63c2e08adb81644965ec86316b3fe1511f50d0c9887081d5487c581ade719d161606d53d5

  • C:\Windows\alg.exe

    Filesize

    360KB

    MD5

    732cdf0b27a32489411c9362859f7632

    SHA1

    2e72e9cd2782328ab35315c0875ff44947f53652

    SHA256

    8b8851878c1d9a6c5cf55348384e5dcb2fa441566be0e1a65f0cce43d84dedfa

    SHA512

    428accb2ad6b1c73b60d26dadbf6c399b5a2744eab1e45cebfd2d392a2d718449a25ca012a83ecc7c0f350819a7a42649b2b0e27ff55edc167d9ed85ec06a86d

  • memory/1408-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

    Filesize

    8KB