Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
129s -
max time network
29s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06/12/2022, 20:42
Static task
static1
Behavioral task
behavioral1
Sample
document_12-05_scan_383.iso
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
document_12-05_scan_383.iso
Resource
win10v2004-20220812-en
General
-
Target
document_12-05_scan_383.iso
-
Size
1.7MB
-
MD5
ce445ce7dbc0469ca342b86502dc3a28
-
SHA1
e88b0016dd2664756ee5645d3011d9c272380185
-
SHA256
b3798565f8877af13626710aa69119615992cf14e887c2b84fa6c8fc7b57419a
-
SHA512
ec591a159c08c777158080ddc6234e7bd161a1e8a080257b7b8dd92f381a1c505210b03241cce7b556bf888ec8897352fea2ffadea3746995742a0e3d85931fc
-
SSDEEP
6144:NTHJ5BU2WigC+/NZy40onBN14x8N8IcZzEXL:JDB0igC+/NHBN1S8PX
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1508 isoburn.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2040 wrote to memory of 1508 2040 cmd.exe 28 PID 2040 wrote to memory of 1508 2040 cmd.exe 28 PID 2040 wrote to memory of 1508 2040 cmd.exe 28
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\document_12-05_scan_383.iso1⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\System32\isoburn.exe"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\document_12-05_scan_383.iso"2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1508
-