Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29/01/2023, 16:59
Static task
static1
Behavioral task
behavioral1
Sample
c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0.exe
Resource
win10v2004-20220812-en
General
-
Target
c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0.exe
-
Size
1.9MB
-
MD5
53594cf41be285fa4304d10b680245f2
-
SHA1
6a2841d2af67d098f93b2a6df527abb08923ae22
-
SHA256
c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0
-
SHA512
b0c2f53023381c29267c36a44e4cec39272af41a8b5068250de9d71cd899e8feb6cc887b13b785e9ffb1c7b1174e670d47559dd85bf47b655595ee07ad3b5151
-
SSDEEP
24576:iu6J33O0c+JY5UZ+XC0kGso6Fa9GWjtGD0GY/y69Pk3dF08EsmwrTZIZvziK6gQf:Eu0c++OCvkGs9FaIXKZlOVYk
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 544 wbadmin.exe 1796 wbadmin.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\NET Framework = "C:\\Users\\Admin\\AppData\\Roaming\\Roaming\\Application Frame Host.exe" RegAsm.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x00080000000122ec-69.dat autoit_exe behavioral1/files/0x00080000000122ec-71.dat autoit_exe behavioral1/files/0x00080000000122ec-88.dat autoit_exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 964 set thread context of 1860 964 c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0.exe 26 PID 544 set thread context of 552 544 wbadmin.exe 36 PID 1796 set thread context of 1364 1796 wbadmin.exe 40 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1048 schtasks.exe 1408 schtasks.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1860 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1860 RegAsm.exe Token: 33 1860 RegAsm.exe Token: SeIncBasePriorityPrivilege 1860 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1860 RegAsm.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 964 wrote to memory of 1860 964 c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0.exe 26 PID 964 wrote to memory of 1860 964 c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0.exe 26 PID 964 wrote to memory of 1860 964 c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0.exe 26 PID 964 wrote to memory of 1860 964 c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0.exe 26 PID 964 wrote to memory of 1860 964 c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0.exe 26 PID 964 wrote to memory of 1860 964 c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0.exe 26 PID 964 wrote to memory of 1860 964 c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0.exe 26 PID 964 wrote to memory of 1860 964 c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0.exe 26 PID 964 wrote to memory of 1860 964 c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0.exe 26 PID 964 wrote to memory of 1048 964 c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0.exe 29 PID 964 wrote to memory of 1048 964 c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0.exe 29 PID 964 wrote to memory of 1048 964 c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0.exe 29 PID 964 wrote to memory of 1048 964 c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0.exe 29 PID 564 wrote to memory of 544 564 taskeng.exe 35 PID 564 wrote to memory of 544 564 taskeng.exe 35 PID 564 wrote to memory of 544 564 taskeng.exe 35 PID 564 wrote to memory of 544 564 taskeng.exe 35 PID 564 wrote to memory of 544 564 taskeng.exe 35 PID 564 wrote to memory of 544 564 taskeng.exe 35 PID 564 wrote to memory of 544 564 taskeng.exe 35 PID 544 wrote to memory of 552 544 wbadmin.exe 36 PID 544 wrote to memory of 552 544 wbadmin.exe 36 PID 544 wrote to memory of 552 544 wbadmin.exe 36 PID 544 wrote to memory of 552 544 wbadmin.exe 36 PID 544 wrote to memory of 552 544 wbadmin.exe 36 PID 544 wrote to memory of 552 544 wbadmin.exe 36 PID 544 wrote to memory of 552 544 wbadmin.exe 36 PID 544 wrote to memory of 552 544 wbadmin.exe 36 PID 544 wrote to memory of 552 544 wbadmin.exe 36 PID 544 wrote to memory of 1408 544 wbadmin.exe 37 PID 544 wrote to memory of 1408 544 wbadmin.exe 37 PID 544 wrote to memory of 1408 544 wbadmin.exe 37 PID 544 wrote to memory of 1408 544 wbadmin.exe 37 PID 564 wrote to memory of 1796 564 taskeng.exe 39 PID 564 wrote to memory of 1796 564 taskeng.exe 39 PID 564 wrote to memory of 1796 564 taskeng.exe 39 PID 564 wrote to memory of 1796 564 taskeng.exe 39 PID 564 wrote to memory of 1796 564 taskeng.exe 39 PID 564 wrote to memory of 1796 564 taskeng.exe 39 PID 564 wrote to memory of 1796 564 taskeng.exe 39 PID 1796 wrote to memory of 1364 1796 wbadmin.exe 40 PID 1796 wrote to memory of 1364 1796 wbadmin.exe 40 PID 1796 wrote to memory of 1364 1796 wbadmin.exe 40 PID 1796 wrote to memory of 1364 1796 wbadmin.exe 40 PID 1796 wrote to memory of 1364 1796 wbadmin.exe 40 PID 1796 wrote to memory of 1364 1796 wbadmin.exe 40 PID 1796 wrote to memory of 1364 1796 wbadmin.exe 40 PID 1796 wrote to memory of 1364 1796 wbadmin.exe 40 PID 1796 wrote to memory of 1364 1796 wbadmin.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0.exe"C:\Users\Admin\AppData\Local\Temp\c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1860
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn rasdial /tr "C:\Users\Admin\AppData\Local\Temp\sftp\wbadmin.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:1048
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1972
-
C:\Windows\system32\taskeng.exetaskeng.exe {32C7E281-2992-4CE2-A916-AD0D22027070} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Users\Admin\AppData\Local\Temp\sftp\wbadmin.exeC:\Users\Admin\AppData\Local\Temp\sftp\wbadmin.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵PID:552
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn rasdial /tr "C:\Users\Admin\AppData\Local\Temp\sftp\wbadmin.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1408
-
-
-
C:\Users\Admin\AppData\Local\Temp\sftp\wbadmin.exeC:\Users\Admin\AppData\Local\Temp\sftp\wbadmin.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵PID:1364
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD578efe21d81d4548d0701f8c0fc032880
SHA1de0a97634d0eeef5ff5dd0832ba1dd317cc2845e
SHA256afab0f44ad8f684912645dc0f4f207dc346af320e58a67dbc2ae9852bae3ece5
SHA512b3090db4395605c123c5f8d76410b95d290773364c10b8197d9101aa135090226da7c75da0657d3167e001c3f3f70834b5d7acde5518527fa0675f0fbb504c09
-
Filesize
1.9MB
MD578efe21d81d4548d0701f8c0fc032880
SHA1de0a97634d0eeef5ff5dd0832ba1dd317cc2845e
SHA256afab0f44ad8f684912645dc0f4f207dc346af320e58a67dbc2ae9852bae3ece5
SHA512b3090db4395605c123c5f8d76410b95d290773364c10b8197d9101aa135090226da7c75da0657d3167e001c3f3f70834b5d7acde5518527fa0675f0fbb504c09
-
Filesize
1.9MB
MD578efe21d81d4548d0701f8c0fc032880
SHA1de0a97634d0eeef5ff5dd0832ba1dd317cc2845e
SHA256afab0f44ad8f684912645dc0f4f207dc346af320e58a67dbc2ae9852bae3ece5
SHA512b3090db4395605c123c5f8d76410b95d290773364c10b8197d9101aa135090226da7c75da0657d3167e001c3f3f70834b5d7acde5518527fa0675f0fbb504c09