Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    137s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    06/12/2022, 19:50

General

  • Target

    dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe

  • Size

    780KB

  • MD5

    a548a295a9be7a551c68c55d004e7b80

  • SHA1

    5327b8f9e2ec4028b87cad472e91abb6cec73783

  • SHA256

    dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001

  • SHA512

    4bbbf9b3dcc0426d05b65de22b4f999afc76fc382908016f4871f96d3d5f88b6bddcb93d875160253e4111d8ca4e7db5dc8a05c13f8f5319478c8f1abeac5c22

  • SSDEEP

    24576:pcTICFaA6zm9TEuCaelHWmQR54qEc5ysEwkzrYRQ+:paFXdYQ4qXqworYRQ+

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe
    "C:\Users\Admin\AppData\Local\Temp\dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1004
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\winupdate.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1632
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy "C:\Users\Admin\AppData\Local\Temp\dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe" "C:\Users\Admin\AppData\Local\\usnscv.exe"
        3⤵
          PID:1528
      • C:\Users\Admin\AppData\Local\usnscv.exe
        "C:\Users\Admin\AppData\Local\usnscv.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        PID:1568
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:1652

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Seda (6).jpg

      Filesize

      30KB

      MD5

      706bde189715539261388384ac5d2c84

      SHA1

      17172d5cb0fca50bd76132158a36656cc7835a03

      SHA256

      6f280ab6cc663486fd7e97b8d324a9c1ece4c542019f20cabf0aff99bd217749

      SHA512

      a285b1145a0f1a8afd21d399f6149d885a6b274f806dd544593d2d844cbbd5b0d18576a43b56579736ef2f4e1adf850ab717d472e30c50b3048ce6b8c5df51f9

    • C:\Users\Admin\AppData\Local\Temp\winupdate.bat

      Filesize

      180B

      MD5

      3f6e7bb4566261ebcf5006ad2dcd890f

      SHA1

      2bd4620b3f16a8914a808ce8bbc42dbd3e1808ba

      SHA256

      09ec06d7b58b8defc991147af5310a643fe7e73d04286c3589611f902ec10eb5

      SHA512

      8f4ee203a56460206b01fde5be79d42d16bbea4815e37e5b54572afb85d3d996e2b87a082f5a3aab95533bfe367cace0d5a49bfa19526d94509cc20eb548ac7e

    • C:\Users\Admin\AppData\Local\usnscv.exe

      Filesize

      780KB

      MD5

      a548a295a9be7a551c68c55d004e7b80

      SHA1

      5327b8f9e2ec4028b87cad472e91abb6cec73783

      SHA256

      dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001

      SHA512

      4bbbf9b3dcc0426d05b65de22b4f999afc76fc382908016f4871f96d3d5f88b6bddcb93d875160253e4111d8ca4e7db5dc8a05c13f8f5319478c8f1abeac5c22

    • C:\Users\Admin\AppData\Local\usnscv.exe

      Filesize

      780KB

      MD5

      a548a295a9be7a551c68c55d004e7b80

      SHA1

      5327b8f9e2ec4028b87cad472e91abb6cec73783

      SHA256

      dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001

      SHA512

      4bbbf9b3dcc0426d05b65de22b4f999afc76fc382908016f4871f96d3d5f88b6bddcb93d875160253e4111d8ca4e7db5dc8a05c13f8f5319478c8f1abeac5c22

    • \Users\Admin\AppData\Local\usnscv.exe

      Filesize

      780KB

      MD5

      a548a295a9be7a551c68c55d004e7b80

      SHA1

      5327b8f9e2ec4028b87cad472e91abb6cec73783

      SHA256

      dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001

      SHA512

      4bbbf9b3dcc0426d05b65de22b4f999afc76fc382908016f4871f96d3d5f88b6bddcb93d875160253e4111d8ca4e7db5dc8a05c13f8f5319478c8f1abeac5c22

    • \Users\Admin\AppData\Local\usnscv.exe

      Filesize

      780KB

      MD5

      a548a295a9be7a551c68c55d004e7b80

      SHA1

      5327b8f9e2ec4028b87cad472e91abb6cec73783

      SHA256

      dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001

      SHA512

      4bbbf9b3dcc0426d05b65de22b4f999afc76fc382908016f4871f96d3d5f88b6bddcb93d875160253e4111d8ca4e7db5dc8a05c13f8f5319478c8f1abeac5c22

    • memory/1004-54-0x0000000075211000-0x0000000075213000-memory.dmp

      Filesize

      8KB

    • memory/1568-63-0x0000000000400000-0x000000000044D000-memory.dmp

      Filesize

      308KB

    • memory/1568-61-0x0000000000400000-0x000000000044D000-memory.dmp

      Filesize

      308KB

    • memory/1568-66-0x0000000000400000-0x000000000044D000-memory.dmp

      Filesize

      308KB

    • memory/1568-68-0x0000000000400000-0x000000000044D000-memory.dmp

      Filesize

      308KB

    • memory/1568-70-0x0000000000400000-0x000000000044D000-memory.dmp

      Filesize

      308KB