Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06/12/2022, 19:50
Static task
static1
Behavioral task
behavioral1
Sample
dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe
Resource
win10v2004-20220901-en
General
-
Target
dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe
-
Size
780KB
-
MD5
a548a295a9be7a551c68c55d004e7b80
-
SHA1
5327b8f9e2ec4028b87cad472e91abb6cec73783
-
SHA256
dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001
-
SHA512
4bbbf9b3dcc0426d05b65de22b4f999afc76fc382908016f4871f96d3d5f88b6bddcb93d875160253e4111d8ca4e7db5dc8a05c13f8f5319478c8f1abeac5c22
-
SSDEEP
24576:pcTICFaA6zm9TEuCaelHWmQR54qEc5ysEwkzrYRQ+:paFXdYQ4qXqworYRQ+
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1568 usnscv.exe -
Loads dropped DLL 2 IoCs
pid Process 1004 dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe 1004 dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run usnscv.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\usnscv.exe = "\"C:\\Users\\Admin\\AppData\\Local\\usnscv.exe\" /background" usnscv.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1004 set thread context of 1568 1004 dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1652 DllHost.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1004 wrote to memory of 1632 1004 dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe 28 PID 1004 wrote to memory of 1632 1004 dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe 28 PID 1004 wrote to memory of 1632 1004 dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe 28 PID 1004 wrote to memory of 1632 1004 dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe 28 PID 1004 wrote to memory of 1632 1004 dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe 28 PID 1004 wrote to memory of 1632 1004 dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe 28 PID 1004 wrote to memory of 1632 1004 dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe 28 PID 1632 wrote to memory of 1528 1632 cmd.exe 30 PID 1632 wrote to memory of 1528 1632 cmd.exe 30 PID 1632 wrote to memory of 1528 1632 cmd.exe 30 PID 1632 wrote to memory of 1528 1632 cmd.exe 30 PID 1004 wrote to memory of 1568 1004 dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe 31 PID 1004 wrote to memory of 1568 1004 dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe 31 PID 1004 wrote to memory of 1568 1004 dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe 31 PID 1004 wrote to memory of 1568 1004 dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe 31 PID 1004 wrote to memory of 1568 1004 dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe 31 PID 1004 wrote to memory of 1568 1004 dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe"C:\Users\Admin\AppData\Local\Temp\dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\winupdate.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\cmd.execmd /c copy "C:\Users\Admin\AppData\Local\Temp\dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe" "C:\Users\Admin\AppData\Local\\usnscv.exe"3⤵PID:1528
-
-
-
C:\Users\Admin\AppData\Local\usnscv.exe"C:\Users\Admin\AppData\Local\usnscv.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1568
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:1652
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
30KB
MD5706bde189715539261388384ac5d2c84
SHA117172d5cb0fca50bd76132158a36656cc7835a03
SHA2566f280ab6cc663486fd7e97b8d324a9c1ece4c542019f20cabf0aff99bd217749
SHA512a285b1145a0f1a8afd21d399f6149d885a6b274f806dd544593d2d844cbbd5b0d18576a43b56579736ef2f4e1adf850ab717d472e30c50b3048ce6b8c5df51f9
-
Filesize
180B
MD53f6e7bb4566261ebcf5006ad2dcd890f
SHA12bd4620b3f16a8914a808ce8bbc42dbd3e1808ba
SHA25609ec06d7b58b8defc991147af5310a643fe7e73d04286c3589611f902ec10eb5
SHA5128f4ee203a56460206b01fde5be79d42d16bbea4815e37e5b54572afb85d3d996e2b87a082f5a3aab95533bfe367cace0d5a49bfa19526d94509cc20eb548ac7e
-
Filesize
780KB
MD5a548a295a9be7a551c68c55d004e7b80
SHA15327b8f9e2ec4028b87cad472e91abb6cec73783
SHA256dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001
SHA5124bbbf9b3dcc0426d05b65de22b4f999afc76fc382908016f4871f96d3d5f88b6bddcb93d875160253e4111d8ca4e7db5dc8a05c13f8f5319478c8f1abeac5c22
-
Filesize
780KB
MD5a548a295a9be7a551c68c55d004e7b80
SHA15327b8f9e2ec4028b87cad472e91abb6cec73783
SHA256dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001
SHA5124bbbf9b3dcc0426d05b65de22b4f999afc76fc382908016f4871f96d3d5f88b6bddcb93d875160253e4111d8ca4e7db5dc8a05c13f8f5319478c8f1abeac5c22
-
Filesize
780KB
MD5a548a295a9be7a551c68c55d004e7b80
SHA15327b8f9e2ec4028b87cad472e91abb6cec73783
SHA256dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001
SHA5124bbbf9b3dcc0426d05b65de22b4f999afc76fc382908016f4871f96d3d5f88b6bddcb93d875160253e4111d8ca4e7db5dc8a05c13f8f5319478c8f1abeac5c22
-
Filesize
780KB
MD5a548a295a9be7a551c68c55d004e7b80
SHA15327b8f9e2ec4028b87cad472e91abb6cec73783
SHA256dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001
SHA5124bbbf9b3dcc0426d05b65de22b4f999afc76fc382908016f4871f96d3d5f88b6bddcb93d875160253e4111d8ca4e7db5dc8a05c13f8f5319478c8f1abeac5c22