Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

f2b1dd5d70...5b.exe

windows7-x64

3

f2b1dd5d70...5b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    228s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    03/02/2023, 18:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f2b1dd5d709a7e606002f1b2a0cda30e07d1635b.exe

  • Size

    818KB

  • MD5

    056dbac271b4b97fac9016695f03be29

  • SHA1

    f2b1dd5d709a7e606002f1b2a0cda30e07d1635b

  • SHA256

    a67119e6131f2cf27b28044e3562d04abd86b62bcebbfa8ed7f4ecea90682f2d

  • SHA512

    6e9c26661573d89ec52e37e1c300bad30d215ffdddaddc8e1b357449c241f19e1dd19a44f14dff4d6c829efd8beeb165a03c4bcda0d853d981839ae84e727dbd

  • SSDEEP

    24576:keSqG4yPa46F0xM64kLOBLHK4FUgmaFq:ztWiFkLOBLHK4FUgm

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f2b1dd5d709a7e606002f1b2a0cda30e07d1635b.exe
    "C:\Users\Admin\AppData\Local\Temp\f2b1dd5d709a7e606002f1b2a0cda30e07d1635b.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1520
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uUnNpOcmAQf.exe"
      2⤵
        PID:280
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uUnNpOcmAQf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA1BC.tmp"
        2⤵
        • Creates scheduled task(s)
        PID:828

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpA1BC.tmp
      Filesize

      1KB

      MD5

      01755cc077e914db196f54a337989074

      SHA1

      258ae88329bc83ad1c81a320475e1bf96210edc4

      SHA256

      3105ae4a00ed7e219b85a6922544c41d969451c766bd4b7462bc5c8db6577523

      SHA512

      2e1053c737d5122b014cb37e5c8164f579c821429adb9300146bcd3e2eb8ea92dfdadc28bc0888dbf6ad27c1f8c624b87b5dcc755a369a7014fe8d474d97d8b9

      Download Submit

    • memory/280-63-0x000000006EA30000-0x000000006EFDB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/280-64-0x000000006EA30000-0x000000006EFDB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1520-54-0x0000000000C50000-0x0000000000D24000-memory.dmp

      Filesize

      848KB

      Download

    • memory/1520-55-0x00000000757C1000-0x00000000757C3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1520-56-0x00000000005C0000-0x00000000005D4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1520-57-0x00000000005D0000-0x00000000005DA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1520-58-0x0000000007ED0000-0x0000000007F3A000-memory.dmp

      Filesize

      424KB

      Download