Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
128s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06/12/2022, 16:44
Static task
static1
Behavioral task
behavioral1
Sample
b077b323bb0c5955af06b6e0c93ba36e489d6b0a8de9e2fc9c55fdb84550a883.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b077b323bb0c5955af06b6e0c93ba36e489d6b0a8de9e2fc9c55fdb84550a883.exe
Resource
win10v2004-20221111-en
General
-
Target
b077b323bb0c5955af06b6e0c93ba36e489d6b0a8de9e2fc9c55fdb84550a883.exe
-
Size
44KB
-
MD5
3f70190e86fa3aef81768e5fd9dd862c
-
SHA1
8ad173aa4baf18d7b86d8f4e160d29a4baa73810
-
SHA256
b077b323bb0c5955af06b6e0c93ba36e489d6b0a8de9e2fc9c55fdb84550a883
-
SHA512
47f6417b26ffd92d44ee52e0c82f282bbc160a046fff053b7fa44154c1ded0cae13ae975988589597893c87652613594dfc6c9308925430e62314491e4bb29c7
-
SSDEEP
768:gqJxn8eXSZ9Ss0JLIbuxln62gb58126HAjHtU2qvtO1a58t1tRONToj0Enjd76RL:d9lXdHQmaLLONEnjF64
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 792 chrome.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 1576 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d5a38e9b5f206c41f8851bf04a251d26.exe chrome.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d5a38e9b5f206c41f8851bf04a251d26.exe chrome.exe -
Loads dropped DLL 1 IoCs
pid Process 1476 b077b323bb0c5955af06b6e0c93ba36e489d6b0a8de9e2fc9c55fdb84550a883.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\d5a38e9b5f206c41f8851bf04a251d26 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome.exe\" .." chrome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\d5a38e9b5f206c41f8851bf04a251d26 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome.exe\" .." chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 792 chrome.exe 792 chrome.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 792 chrome.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1476 wrote to memory of 792 1476 b077b323bb0c5955af06b6e0c93ba36e489d6b0a8de9e2fc9c55fdb84550a883.exe 27 PID 1476 wrote to memory of 792 1476 b077b323bb0c5955af06b6e0c93ba36e489d6b0a8de9e2fc9c55fdb84550a883.exe 27 PID 1476 wrote to memory of 792 1476 b077b323bb0c5955af06b6e0c93ba36e489d6b0a8de9e2fc9c55fdb84550a883.exe 27 PID 1476 wrote to memory of 792 1476 b077b323bb0c5955af06b6e0c93ba36e489d6b0a8de9e2fc9c55fdb84550a883.exe 27 PID 792 wrote to memory of 1576 792 chrome.exe 28 PID 792 wrote to memory of 1576 792 chrome.exe 28 PID 792 wrote to memory of 1576 792 chrome.exe 28 PID 792 wrote to memory of 1576 792 chrome.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\b077b323bb0c5955af06b6e0c93ba36e489d6b0a8de9e2fc9c55fdb84550a883.exe"C:\Users\Admin\AppData\Local\Temp\b077b323bb0c5955af06b6e0c93ba36e489d6b0a8de9e2fc9c55fdb84550a883.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\chrome.exe"C:\Users\Admin\AppData\Local\Temp\chrome.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\chrome.exe" "chrome.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1576
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD53f70190e86fa3aef81768e5fd9dd862c
SHA18ad173aa4baf18d7b86d8f4e160d29a4baa73810
SHA256b077b323bb0c5955af06b6e0c93ba36e489d6b0a8de9e2fc9c55fdb84550a883
SHA51247f6417b26ffd92d44ee52e0c82f282bbc160a046fff053b7fa44154c1ded0cae13ae975988589597893c87652613594dfc6c9308925430e62314491e4bb29c7
-
Filesize
44KB
MD53f70190e86fa3aef81768e5fd9dd862c
SHA18ad173aa4baf18d7b86d8f4e160d29a4baa73810
SHA256b077b323bb0c5955af06b6e0c93ba36e489d6b0a8de9e2fc9c55fdb84550a883
SHA51247f6417b26ffd92d44ee52e0c82f282bbc160a046fff053b7fa44154c1ded0cae13ae975988589597893c87652613594dfc6c9308925430e62314491e4bb29c7
-
Filesize
44KB
MD53f70190e86fa3aef81768e5fd9dd862c
SHA18ad173aa4baf18d7b86d8f4e160d29a4baa73810
SHA256b077b323bb0c5955af06b6e0c93ba36e489d6b0a8de9e2fc9c55fdb84550a883
SHA51247f6417b26ffd92d44ee52e0c82f282bbc160a046fff053b7fa44154c1ded0cae13ae975988589597893c87652613594dfc6c9308925430e62314491e4bb29c7