Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

winprofile

windows7-x64

8

winprofile

windows10-1703-x64

8

Analysis

  • max time kernel
    285s
  • max time network
    288s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    18/12/2022, 04:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5e6259b44a9bd71bfa23de11910ac94d336a6d4d988082afaf94d60065069352.exe

  • Size

    1.0MB

  • MD5

    bb233d4542a170be01c2d14cbb4a1d8a

  • SHA1

    3f5b38c62ab67eb8612af6280294b524d94891cd

  • SHA256

    5e6259b44a9bd71bfa23de11910ac94d336a6d4d988082afaf94d60065069352

  • SHA512

    fac8a98136e7c244d34e2bb8afeb5365597994030ba266f0640808addd990f90395be95a3e518c7406c3872cdf333a054da9537ebd266511918011ce7a747bb3

  • SSDEEP

    24576:8RVbNR6HnOroQkHwiO7bw0mFR+0rRLgLJ1sbw1vhY:kT8HjQkQ1nmFRryLJ1sGv

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e6259b44a9bd71bfa23de11910ac94d336a6d4d988082afaf94d60065069352.exe
    "C:\Users\Admin\AppData\Local\Temp\5e6259b44a9bd71bfa23de11910ac94d336a6d4d988082afaf94d60065069352.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1460
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1780
    • C:\Users\Admin\AppData\Local\Temp\5e6259b44a9bd71bfa23de11910ac94d336a6d4d988082afaf94d60065069352.exe
      C:\Users\Admin\AppData\Local\Temp\5e6259b44a9bd71bfa23de11910ac94d336a6d4d988082afaf94d60065069352.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:596
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 3; Set-MpPreference -ExclusionPath C:\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1164
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {3D101C27-5D9A-4817-BDC2-C8EF16804F04} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Users\Admin\AppData\Roaming\5e6259b44a9bd71bfa23de11910ac94d336a6d4d988082afaf94d60065069352.exe
      C:\Users\Admin\AppData\Roaming\5e6259b44a9bd71bfa23de11910ac94d336a6d4d988082afaf94d60065069352.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1916
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1068
      • C:\Users\Admin\AppData\Roaming\5e6259b44a9bd71bfa23de11910ac94d336a6d4d988082afaf94d60065069352.exe
        C:\Users\Admin\AppData\Roaming\5e6259b44a9bd71bfa23de11910ac94d336a6d4d988082afaf94d60065069352.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1592

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\5e6259b44a9bd71bfa23de11910ac94d336a6d4d988082afaf94d60065069352.exe
    Filesize

    1.0MB

    MD5

    bb233d4542a170be01c2d14cbb4a1d8a

    SHA1

    3f5b38c62ab67eb8612af6280294b524d94891cd

    SHA256

    5e6259b44a9bd71bfa23de11910ac94d336a6d4d988082afaf94d60065069352

    SHA512

    fac8a98136e7c244d34e2bb8afeb5365597994030ba266f0640808addd990f90395be95a3e518c7406c3872cdf333a054da9537ebd266511918011ce7a747bb3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\5e6259b44a9bd71bfa23de11910ac94d336a6d4d988082afaf94d60065069352.exe
    Filesize

    1.0MB

    MD5

    bb233d4542a170be01c2d14cbb4a1d8a

    SHA1

    3f5b38c62ab67eb8612af6280294b524d94891cd

    SHA256

    5e6259b44a9bd71bfa23de11910ac94d336a6d4d988082afaf94d60065069352

    SHA512

    fac8a98136e7c244d34e2bb8afeb5365597994030ba266f0640808addd990f90395be95a3e518c7406c3872cdf333a054da9537ebd266511918011ce7a747bb3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\5e6259b44a9bd71bfa23de11910ac94d336a6d4d988082afaf94d60065069352.exe
    Filesize

    1.0MB

    MD5

    bb233d4542a170be01c2d14cbb4a1d8a

    SHA1

    3f5b38c62ab67eb8612af6280294b524d94891cd

    SHA256

    5e6259b44a9bd71bfa23de11910ac94d336a6d4d988082afaf94d60065069352

    SHA512

    fac8a98136e7c244d34e2bb8afeb5365597994030ba266f0640808addd990f90395be95a3e518c7406c3872cdf333a054da9537ebd266511918011ce7a747bb3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    718bcc01891322d13fc85d6c6beb8f02

    SHA1

    b287110c0b88d85e4536aa39c527a4dc8b09d73d

    SHA256

    236a40397de8247473c9a1b48d373990d61f51ceeed96b631fa310542f23469c

    SHA512

    6fd7dcfe20464a3d97d2f69bb1e6d8c7dcd643989d6313753b44d7680367170f3a479e1e46a1b4a06cc305ff79d57cf309a0671eb0009c5cc45cabadf6699f27

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    718bcc01891322d13fc85d6c6beb8f02

    SHA1

    b287110c0b88d85e4536aa39c527a4dc8b09d73d

    SHA256

    236a40397de8247473c9a1b48d373990d61f51ceeed96b631fa310542f23469c

    SHA512

    6fd7dcfe20464a3d97d2f69bb1e6d8c7dcd643989d6313753b44d7680367170f3a479e1e46a1b4a06cc305ff79d57cf309a0671eb0009c5cc45cabadf6699f27

    Download Submit

  • \Users\Admin\AppData\Roaming\5e6259b44a9bd71bfa23de11910ac94d336a6d4d988082afaf94d60065069352.exe
    Filesize

    1.0MB

    MD5

    bb233d4542a170be01c2d14cbb4a1d8a

    SHA1

    3f5b38c62ab67eb8612af6280294b524d94891cd

    SHA256

    5e6259b44a9bd71bfa23de11910ac94d336a6d4d988082afaf94d60065069352

    SHA512

    fac8a98136e7c244d34e2bb8afeb5365597994030ba266f0640808addd990f90395be95a3e518c7406c3872cdf333a054da9537ebd266511918011ce7a747bb3

    Download Submit

  • memory/596-71-0x0000000140000000-0x0000000140078000-memory.dmp

    Filesize

    480KB

    Download

  • memory/596-79-0x000000001B4D0000-0x000000001B524000-memory.dmp

    Filesize

    336KB

    Download

  • memory/596-78-0x0000000002610000-0x000000000265C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/596-77-0x00000000025B0000-0x0000000002606000-memory.dmp

    Filesize

    344KB

    Download

  • memory/596-76-0x0000000002510000-0x00000000025B0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/596-67-0x0000000140000000-0x0000000140078000-memory.dmp

    Filesize

    480KB

    Download

  • memory/596-68-0x0000000140000000-0x0000000140078000-memory.dmp

    Filesize

    480KB

    Download

  • memory/596-70-0x0000000140000000-0x0000000140078000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1068-98-0x000007FEEE670000-0x000007FEEF093000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/1068-105-0x0000000002480000-0x0000000002500000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1068-104-0x0000000002480000-0x0000000002500000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1068-103-0x0000000002480000-0x0000000002500000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1068-100-0x0000000002480000-0x0000000002500000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1068-99-0x000007FEEDB10000-0x000007FEEE66D000-memory.dmp

    Filesize

    11.4MB

    Download

  • memory/1164-102-0x00000000029AB000-0x00000000029CA000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1164-101-0x00000000029A4000-0x00000000029A7000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1164-84-0x000007FEEE670000-0x000007FEEF093000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/1164-85-0x000007FEEDB10000-0x000007FEEE66D000-memory.dmp

    Filesize

    11.4MB

    Download

  • memory/1164-86-0x00000000029A4000-0x00000000029A7000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1164-87-0x000000001B770000-0x000000001BA6F000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/1164-88-0x00000000029AB000-0x00000000029CA000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1460-75-0x000000001BFC6000-0x000000001BFE5000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1460-55-0x000000001BAB0000-0x000000001BBB4000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1460-57-0x000007FEFC1B1000-0x000007FEFC1B3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1460-56-0x0000000000880000-0x0000000000912000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1460-54-0x0000000001000000-0x0000000001104000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1592-116-0x000000001BC16000-0x000000001BC35000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1780-60-0x000007FEEBBB0000-0x000007FEEC5D3000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/1780-63-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/1780-61-0x000007FEEB050000-0x000007FEEBBAD000-memory.dmp

    Filesize

    11.4MB

    Download

  • memory/1780-66-0x000000000244B000-0x000000000246A000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1780-64-0x000000000244B000-0x000000000246A000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1780-65-0x0000000002444000-0x0000000002447000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1780-62-0x0000000002444000-0x0000000002447000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1916-93-0x00000000000A0000-0x00000000001A4000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1916-113-0x000000001BC86000-0x000000001BCA5000-memory.dmp

    Filesize

    124KB

    Download