Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    201s
  • max time network
    201s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    06/12/2022, 20:15

General

  • Target

    c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe

  • Size

    21KB

  • MD5

    94a08d6a616405f1decec3176835d6ce

  • SHA1

    d254b68e976e7c3a592a6867d14b71c1a77c7977

  • SHA256

    c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4

  • SHA512

    fc6562eac2ee059de6e2feef64705bc906bbb0c5477ae984732b8a9e9537081423706af459498e6c37c96ddcd44d5296356d2569170c093f9360451bcc995b0c

  • SSDEEP

    384:UswN2+n8MQDzLg4US6pQR7HO21CkGbQ1lusU:S2+yDPg4MpQZugGk1lusU

Score
6/10

Malware Config

Signatures

  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe
    "C:\Users\Admin\AppData\Local\Temp\c5ab2f66cc4f30f17ffcb383f1642514d6d45ff2a06554c29eee348a7edf10c4.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • outlook_win_path
    PID:304
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\temp.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1148

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\temp.txt

    Filesize

    50B

    MD5

    a3678cf79c4f149e59c6c75c1c6f6821

    SHA1

    0239522d74d7516e13e740e8aed22630325a09ce

    SHA256

    1a245348548efbd1b61b54da0c068c8dddfeb3b7c5971b617352012f5cc778f6

    SHA512

    73fbc895f89fffedb9f2d87aa0fa1fc238ecb5c5c5d00ef828f2d1861407513b8847dedc96b56e0ef9657ec370f968af3f53cf665597ad071509776c1d7a21c6

  • memory/304-54-0x0000000074C91000-0x0000000074C93000-memory.dmp

    Filesize

    8KB