Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
08/01/2023, 01:34
General
-
Target
8c72bdf5ce56daa59a0179d8887bf9f9f25f6ab2fcac9e6a37822b5de41aefc6.exe
-
Size
353KB
-
MD5
caefcbff399930fc8d852ce6694e87d9
-
SHA1
2a62a955b96d07c00a1e68aab2d9d4326ba93f84
-
SHA256
8c72bdf5ce56daa59a0179d8887bf9f9f25f6ab2fcac9e6a37822b5de41aefc6
-
SHA512
a7a0ce84dc43b9567a9578ed153123cdd408fa5f7799c539b30aeb43e0946a35e83615e1a2d19872b6b9927308e9e6fba5abfcee9c63ccb86d308a07da055247
-
SSDEEP
6144:ZaqxDnHyiNbLgKEof6XURHv8sjWjMS/s6Gzi6Wb:ZaqxDnS8U5oxHPOE68i
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 24 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 36 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c72bdf5ce56daa59a0179d8887bf9f9f25f6ab2fcac9e6a37822b5de41aefc6.exe"C:\Users\Admin\AppData\Local\Temp\8c72bdf5ce56daa59a0179d8887bf9f9f25f6ab2fcac9e6a37822b5de41aefc6.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\F254.exeC:\Users\Admin\AppData\Local\Temp\F254.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Wtfoiq.tmp",Iyidwoiowsw2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 155673⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5dcbc5a70b4e08eaa9cc8a5d5f082bb2f
SHA12a011ebdb768f1bcc2d6d81f4bf7dd726975c603
SHA2563d4fc663c27c5068d17d1237ca674416457708e18301db8514f334d22e6aabd8
SHA512835be5dec8a97c92feb64a457546a8dda78bba3d28a90d7fb281bb6354d1818d135fbd0959209abd82093116a1f4a5c9b2f9e02972b97a0bafbcb4ba66323d85
-
Filesize
1.1MB
MD5dcbc5a70b4e08eaa9cc8a5d5f082bb2f
SHA12a011ebdb768f1bcc2d6d81f4bf7dd726975c603
SHA2563d4fc663c27c5068d17d1237ca674416457708e18301db8514f334d22e6aabd8
SHA512835be5dec8a97c92feb64a457546a8dda78bba3d28a90d7fb281bb6354d1818d135fbd0959209abd82093116a1f4a5c9b2f9e02972b97a0bafbcb4ba66323d85
-
Filesize
714KB
MD59dd70d24b2657a9254b9fd536a4d06d5
SHA1348a1d210d7c4daef8ecdb692eadf3975971e8ee
SHA256d0ac0e9021c6e231c60256198309b7f72ce4c5e772cf343b5456c2ce0664b9bd
SHA512dee5bfe83fdf196c78ee255e50a25994220ce9ecac22eb24323df70e668714d7a810b67ddace7809d9d7e2160a35c4603deedb64b1660d82dde58586c34d2ab6
-
Filesize
714KB
MD59dd70d24b2657a9254b9fd536a4d06d5
SHA1348a1d210d7c4daef8ecdb692eadf3975971e8ee
SHA256d0ac0e9021c6e231c60256198309b7f72ce4c5e772cf343b5456c2ce0664b9bd
SHA512dee5bfe83fdf196c78ee255e50a25994220ce9ecac22eb24323df70e668714d7a810b67ddace7809d9d7e2160a35c4603deedb64b1660d82dde58586c34d2ab6
-
Filesize
11.3MB
-
Filesize
8KB
-
Filesize
11.3MB
-
Filesize
2.7MB
-
Filesize
2.6MB
-
Filesize
44.1MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
88KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.3MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
44.1MB
-
Filesize
88KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
892KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.1MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
44.9MB
-
Filesize
44.9MB