Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

winprofile

windows7-x64

8

winprofile

windows10-1703-x64

8

Resubmissions

27/03/2023, 08:26

230327-kcbk8see71 7

23/12/2022, 04:08

221223-eqd1maah8x 8

23/12/2022, 03:43

221223-d946gsfg43 8

Analysis

  • max time kernel
    280s
  • max time network
    283s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23/12/2022, 03:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe

  • Size

    1006KB

  • MD5

    8fb066db4762a35fac7f31cedd97cab7

  • SHA1

    5e77aa679dba9ce1ba300de84c40e86f4b8d3864

  • SHA256

    b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73

  • SHA512

    2d9104e01763315394103ca44b17ce702e7aa86e098c75f8497a2a9df175ef5ed53015b2520d7c35d2f713e566e4ae987aad9f4e1497b248bc3099f09b0ca498

  • SSDEEP

    24576:6RL1fJwm75YaYh0kpwIzOalXqBpSnJh9whgefucd9Tb7:CxRwm1lYhLpwISIXqzSn/9whBfbxb

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
    "C:\Users\Admin\AppData\Local\Temp\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1400
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:848
    • C:\Users\Admin\AppData\Local\Temp\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
      C:\Users\Admin\AppData\Local\Temp\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1484
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 3; Set-MpPreference -ExclusionPath C:\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1580
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {BABE8381-926E-4E0F-BC2E-16CE158897C0} S-1-5-21-3385717845-2518323428-350143044-1000:SABDUHNY\Admin:Interactive:[1]
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1480
    • C:\Users\Admin\AppData\Roaming\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
      C:\Users\Admin\AppData\Roaming\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1404
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAwAA==
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1156
      • C:\Users\Admin\AppData\Roaming\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
        C:\Users\Admin\AppData\Roaming\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1284

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    cea342a892ea38fc5af7cbb12545b810

    SHA1

    445c2411ed87f19897b8ae91f47d16484001a14a

    SHA256

    2773d93ca06a6849ffd99d5e0f6ecde60f3b670da866de75550c08d2a0655d18

    SHA512

    a49a633963ba49e7576f991554d8a73628f4ec349e0f67b4869187459e0feb3b5c347070f4138160138b200675d725264f9399f26cc43987b22630e2e45f7d69

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    cea342a892ea38fc5af7cbb12545b810

    SHA1

    445c2411ed87f19897b8ae91f47d16484001a14a

    SHA256

    2773d93ca06a6849ffd99d5e0f6ecde60f3b670da866de75550c08d2a0655d18

    SHA512

    a49a633963ba49e7576f991554d8a73628f4ec349e0f67b4869187459e0feb3b5c347070f4138160138b200675d725264f9399f26cc43987b22630e2e45f7d69

    Download Submit

  • C:\Users\Admin\AppData\Roaming\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
    Filesize

    1006KB

    MD5

    8fb066db4762a35fac7f31cedd97cab7

    SHA1

    5e77aa679dba9ce1ba300de84c40e86f4b8d3864

    SHA256

    b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73

    SHA512

    2d9104e01763315394103ca44b17ce702e7aa86e098c75f8497a2a9df175ef5ed53015b2520d7c35d2f713e566e4ae987aad9f4e1497b248bc3099f09b0ca498

    Download Submit

  • C:\Users\Admin\AppData\Roaming\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
    Filesize

    1006KB

    MD5

    8fb066db4762a35fac7f31cedd97cab7

    SHA1

    5e77aa679dba9ce1ba300de84c40e86f4b8d3864

    SHA256

    b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73

    SHA512

    2d9104e01763315394103ca44b17ce702e7aa86e098c75f8497a2a9df175ef5ed53015b2520d7c35d2f713e566e4ae987aad9f4e1497b248bc3099f09b0ca498

    Download Submit

  • C:\Users\Admin\AppData\Roaming\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
    Filesize

    1006KB

    MD5

    8fb066db4762a35fac7f31cedd97cab7

    SHA1

    5e77aa679dba9ce1ba300de84c40e86f4b8d3864

    SHA256

    b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73

    SHA512

    2d9104e01763315394103ca44b17ce702e7aa86e098c75f8497a2a9df175ef5ed53015b2520d7c35d2f713e566e4ae987aad9f4e1497b248bc3099f09b0ca498

    Download Submit

  • \Users\Admin\AppData\Roaming\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
    Filesize

    1006KB

    MD5

    8fb066db4762a35fac7f31cedd97cab7

    SHA1

    5e77aa679dba9ce1ba300de84c40e86f4b8d3864

    SHA256

    b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73

    SHA512

    2d9104e01763315394103ca44b17ce702e7aa86e098c75f8497a2a9df175ef5ed53015b2520d7c35d2f713e566e4ae987aad9f4e1497b248bc3099f09b0ca498

    Download Submit

  • memory/848-63-0x000000001B740000-0x000000001BA3F000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/848-61-0x000007FEEB4A0000-0x000007FEEBFFD000-memory.dmp

    Filesize

    11.4MB

    Download

  • memory/848-64-0x000000000257B000-0x000000000259A000-memory.dmp

    Filesize

    124KB

    Download

  • memory/848-65-0x0000000002574000-0x0000000002577000-memory.dmp

    Filesize

    12KB

    Download

  • memory/848-66-0x000000000257B000-0x000000000259A000-memory.dmp

    Filesize

    124KB

    Download

  • memory/848-62-0x0000000002574000-0x0000000002577000-memory.dmp

    Filesize

    12KB

    Download

  • memory/848-60-0x000007FEEC000000-0x000007FEECA23000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/1156-98-0x000007FEEDDD0000-0x000007FEEE92D000-memory.dmp

    Filesize

    11.4MB

    Download

  • memory/1156-99-0x000000001B850000-0x000000001BB4F000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/1156-97-0x000007FEEE930000-0x000007FEEF353000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/1156-100-0x00000000024F4000-0x00000000024F7000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1156-105-0x00000000024FB000-0x000000000251A000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1156-104-0x00000000024F4000-0x00000000024F7000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1156-103-0x00000000024FB000-0x000000000251A000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1284-117-0x000000001B706000-0x000000001B725000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1284-116-0x0000000000B40000-0x0000000000B94000-memory.dmp

    Filesize

    336KB

    Download

  • memory/1400-54-0x0000000000B10000-0x0000000000C10000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1400-74-0x000000001ADE6000-0x000000001AE05000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1400-57-0x0000000002440000-0x00000000024D2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1400-56-0x000000001C540000-0x000000001C640000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1400-55-0x000007FEFC3C1000-0x000007FEFC3C3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1404-113-0x000000001BF66000-0x000000001BF85000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1404-92-0x0000000000A40000-0x0000000000B40000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1484-67-0x0000000140000000-0x0000000140078000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1484-68-0x0000000140000000-0x0000000140078000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1484-70-0x0000000140000000-0x0000000140078000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1484-71-0x0000000140000000-0x0000000140078000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1484-76-0x000000001BC30000-0x000000001BCD0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1484-77-0x0000000000150000-0x00000000001A6000-memory.dmp

    Filesize

    344KB

    Download

  • memory/1484-78-0x00000000006B0000-0x00000000006FC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1484-79-0x0000000000AC0000-0x0000000000B14000-memory.dmp

    Filesize

    336KB

    Download

  • memory/1580-102-0x000000000277B000-0x000000000279A000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1580-101-0x0000000002774000-0x0000000002777000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1580-83-0x000007FEEE930000-0x000007FEEF353000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/1580-86-0x0000000002774000-0x0000000002777000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1580-84-0x000007FEEDDD0000-0x000007FEEE92D000-memory.dmp

    Filesize

    11.4MB

    Download

  • memory/1580-85-0x000000001B710000-0x000000001BA0F000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/1580-87-0x000000000277B000-0x000000000279A000-memory.dmp

    Filesize

    124KB

    Download