Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
201s -
max time network
201s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06/12/2022, 20:15
Static task
static1
Behavioral task
behavioral1
Sample
c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe
-
Size
21KB
-
MD5
94a08d6a616405f1decec3176835d6ce
-
SHA1
d254b68e976e7c3a592a6867d14b71c1a77c7977
-
SHA256
c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4
-
SHA512
fc6562eac2ee059de6e2feef64705bc906bbb0c5477ae984732b8a9e9537081423706af459498e6c37c96ddcd44d5296356d2569170c093f9360451bcc995b0c
-
SSDEEP
384:UswN2+n8MQDzLg4US6pQR7HO21CkGbQ1lusU:S2+yDPg4MpQZugGk1lusU
Score
6/10
Malware Config
Signatures
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\temp.txt c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1148 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 304 wrote to memory of 1148 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 27 PID 304 wrote to memory of 1148 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 27 PID 304 wrote to memory of 1148 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 27 PID 304 wrote to memory of 1148 304 c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe 27 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe"C:\Users\Admin\AppData\Local\Temp\c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe"1⤵
- Accesses Microsoft Outlook profiles
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:304 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\temp.txt2⤵
- Opens file in notepad (likely ransom note)
PID:1148
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD5a3678cf79c4f149e59c6c75c1c6f6821
SHA10239522d74d7516e13e740e8aed22630325a09ce
SHA2561a245348548efbd1b61b54da0c068c8dddfeb3b7c5971b617352012f5cc778f6
SHA51273fbc895f89fffedb9f2d87aa0fa1fc238ecb5c5c5d00ef828f2d1861407513b8847dedc96b56e0ef9657ec370f968af3f53cf665597ad071509776c1d7a21c6