Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
43s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02/02/2023, 13:33
Static task
static1
Behavioral task
behavioral1
Sample
baa16c18d7e6175530b5555263acc73109b33d73.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
baa16c18d7e6175530b5555263acc73109b33d73.exe
Resource
win10v2004-20220812-en
General
-
Target
baa16c18d7e6175530b5555263acc73109b33d73.exe
-
Size
11KB
-
MD5
1fb24cd509d9fb14100a8e0802cc6b36
-
SHA1
baa16c18d7e6175530b5555263acc73109b33d73
-
SHA256
997918adb5bdc5781b823fe5800e8cb1ee7bf763bdf96dbefd64c6893122423e
-
SHA512
cdca1d5fc84ecc5e03c6530056da5dfa714f74480fdcf8e9aebe9797a08acd2ae2e76c0bc1e748a770d7828249e5369cd245ccfad01599137a6d4d5257889243
-
SSDEEP
192:jaoQF1cxvY43cyGd17qdJfZoptaCyCM19yjVxo91nGOjfqdv:gF1sA43ud14JhonaDCM1kvOdxedv
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\HFDF = "C:\\Windows\\system32\\hfdf0524.exe" baa16c18d7e6175530b5555263acc73109b33d73.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run baa16c18d7e6175530b5555263acc73109b33d73.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\hfdf0524.dll baa16c18d7e6175530b5555263acc73109b33d73.exe File created C:\Windows\SysWOW64\test.sys baa16c18d7e6175530b5555263acc73109b33d73.exe File created C:\Windows\SysWOW64\hfdf0524.exe baa16c18d7e6175530b5555263acc73109b33d73.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 364 baa16c18d7e6175530b5555263acc73109b33d73.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 460 Process not Found -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 364 wrote to memory of 1300 364 baa16c18d7e6175530b5555263acc73109b33d73.exe 11 PID 364 wrote to memory of 1932 364 baa16c18d7e6175530b5555263acc73109b33d73.exe 27 PID 364 wrote to memory of 1932 364 baa16c18d7e6175530b5555263acc73109b33d73.exe 27 PID 364 wrote to memory of 1932 364 baa16c18d7e6175530b5555263acc73109b33d73.exe 27 PID 364 wrote to memory of 1932 364 baa16c18d7e6175530b5555263acc73109b33d73.exe 27
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1300
-
C:\Users\Admin\AppData\Local\Temp\baa16c18d7e6175530b5555263acc73109b33d73.exe"C:\Users\Admin\AppData\Local\Temp\baa16c18d7e6175530b5555263acc73109b33d73.exe"2⤵
- Adds policy Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\w1.bat" "3⤵PID:1932
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
334B
MD5a3fad92d9597f745bc52a49e4848baee
SHA14765c3f1e70ff07fb558d4b8c9b6c8fc7f7645fe
SHA25648eab08e15678ac8ffdea0a2107976fa10ce9ae34e122ee231ca8b0a86b5a9fc
SHA512a6ef8b68e70c3179a1357456e82b7abf18fe9a8fe99d835257beb2070e7701f565b7718510880e0b2e18d37a7a8121493c9fd402743a977f107e07a30a632459