Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    109s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    28/12/2022, 04:39

General

  • Target

    Instalador SisFarmacia V4.0/SisFarmacia.exe

  • Size

    26.3MB

  • MD5

    d70ef7837cfe5384462b2beefa416a29

  • SHA1

    cd3a9add1593afdd2ed010d03293837275a0685f

  • SHA256

    db5f11d627bc35e0ae02c83b3aa8bcde104f8b0002213aa4b2ebdfc22dc80b23

  • SHA512

    9027c8dd06805b79f1e2dbf0ba83d87c3c01a642c4a92b2bf7f218814ac95b424a19855a20e146af8d2c2280f105edfd1235b27642e4ecdf20048c046a6a6a84

  • SSDEEP

    786432:+RVsd+VFvQYHQY1pjPPNsNlEDJ0Z8+hcO2ona7c:YVFY+1pbNi+N2CSaQ

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Instalador SisFarmacia V4.0\SisFarmacia.exe
    "C:\Users\Admin\AppData\Local\Temp\Instalador SisFarmacia V4.0\SisFarmacia.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Users\Admin\AppData\Local\Temp\is-136L1.tmp\SisFarmacia.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-136L1.tmp\SisFarmacia.tmp" /SL5="$101B8,26858922,797184,C:\Users\Admin\AppData\Local\Temp\Instalador SisFarmacia V4.0\SisFarmacia.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:276
      • C:\Program Files (x86)\SisFarmacia\SisFarmacia.exe
        "C:\Program Files (x86)\SisFarmacia\SisFarmacia.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1812
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://java.com/download
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1776
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1776 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1176
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x1fc
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1168

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\SisFarmacia\SisFarmacia.exe

    Filesize

    27.5MB

    MD5

    174c35ddcc0e16e09e79c1ca9cec8583

    SHA1

    47f9cc5d3b5359c567656dd18a8b2c49f55e3da5

    SHA256

    6bfaefce386126e6c9e3ec781a30106cfd7f74e420cbc91f720d9c2c4a28ad0c

    SHA512

    4d73e5e5b5bee5ca5a6ef3fecc16f87d1dd64e40730772572f4befe4653c7277350c00b0649a9096f5ef877da3bd25d706a326e7d3b9a24defe8fe37be481031

  • C:\Users\Admin\AppData\Local\Temp\is-136L1.tmp\SisFarmacia.tmp

    Filesize

    2.5MB

    MD5

    27468e29378f0528abb039cd242b99a9

    SHA1

    b8c088508ff39708c1048b6fc64106339a8c5c52

    SHA256

    14e7028ed14eed990ef349ddcd991fe53c37416307b05e6cdc0c2eebeb8f6734

    SHA512

    1cc62d4c28cacc120c0bfd7ebc80432f6b17f2b0d4d9d51ebb2122e265138f42cd14ddc2992bb9c863cc2207f0c02abb7e2900aee5a4f08b971801078c3fb827

  • C:\Users\Admin\AppData\Local\Temp\is-136L1.tmp\SisFarmacia.tmp

    Filesize

    2.5MB

    MD5

    27468e29378f0528abb039cd242b99a9

    SHA1

    b8c088508ff39708c1048b6fc64106339a8c5c52

    SHA256

    14e7028ed14eed990ef349ddcd991fe53c37416307b05e6cdc0c2eebeb8f6734

    SHA512

    1cc62d4c28cacc120c0bfd7ebc80432f6b17f2b0d4d9d51ebb2122e265138f42cd14ddc2992bb9c863cc2207f0c02abb7e2900aee5a4f08b971801078c3fb827

  • \Program Files (x86)\SisFarmacia\SisFarmacia.exe

    Filesize

    27.5MB

    MD5

    174c35ddcc0e16e09e79c1ca9cec8583

    SHA1

    47f9cc5d3b5359c567656dd18a8b2c49f55e3da5

    SHA256

    6bfaefce386126e6c9e3ec781a30106cfd7f74e420cbc91f720d9c2c4a28ad0c

    SHA512

    4d73e5e5b5bee5ca5a6ef3fecc16f87d1dd64e40730772572f4befe4653c7277350c00b0649a9096f5ef877da3bd25d706a326e7d3b9a24defe8fe37be481031

  • \Users\Admin\AppData\Local\Temp\is-136L1.tmp\SisFarmacia.tmp

    Filesize

    2.5MB

    MD5

    27468e29378f0528abb039cd242b99a9

    SHA1

    b8c088508ff39708c1048b6fc64106339a8c5c52

    SHA256

    14e7028ed14eed990ef349ddcd991fe53c37416307b05e6cdc0c2eebeb8f6734

    SHA512

    1cc62d4c28cacc120c0bfd7ebc80432f6b17f2b0d4d9d51ebb2122e265138f42cd14ddc2992bb9c863cc2207f0c02abb7e2900aee5a4f08b971801078c3fb827

  • memory/276-62-0x0000000074311000-0x0000000074313000-memory.dmp

    Filesize

    8KB

  • memory/2008-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

    Filesize

    8KB

  • memory/2008-55-0x0000000000400000-0x00000000004D0000-memory.dmp

    Filesize

    832KB

  • memory/2008-61-0x0000000000400000-0x00000000004D0000-memory.dmp

    Filesize

    832KB

  • memory/2008-68-0x0000000000400000-0x00000000004D0000-memory.dmp

    Filesize

    832KB