Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
11s -
max time network
14s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06/02/2023, 22:33
Static task
static1
windows7-x64
10 signatures
150 seconds
windows10-2004-x64
10 signatures
150 seconds
Errors
Reason
Machine shutdown
General
-
Target
-
Size
6.7MB
-
MD5
f2b7074e1543720a9a98fda660e02688
-
SHA1
1029492c1a12789d8af78d54adcb921e24b9e5ca
-
SHA256
4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966
-
SHA512
73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff
-
SSDEEP
3072:eaLA1++iCeFj0im6X/AXpT8vVMCcHVcdhghUuz1o9Y:fLJlC6j0CX4XmvWHVcd62uO9
Score
8/10
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: [email protected] File opened (read-only) \??\T: [email protected] File opened (read-only) \??\V: [email protected] File opened (read-only) \??\A: [email protected] File opened (read-only) \??\E: [email protected] File opened (read-only) \??\I: [email protected] File opened (read-only) \??\K: [email protected] File opened (read-only) \??\R: [email protected] File opened (read-only) \??\X: [email protected] File opened (read-only) \??\Y: [email protected] File opened (read-only) \??\Z: [email protected] File opened (read-only) \??\B: [email protected] File opened (read-only) \??\J: [email protected] File opened (read-only) \??\M: [email protected] File opened (read-only) \??\P: [email protected] File opened (read-only) \??\U: [email protected] File opened (read-only) \??\F: [email protected] File opened (read-only) \??\N: [email protected] File opened (read-only) \??\Q: [email protected] File opened (read-only) \??\G: [email protected] File opened (read-only) \??\H: [email protected] File opened (read-only) \??\L: [email protected] File opened (read-only) \??\O: [email protected] File opened (read-only) \??\W: [email protected] -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" [email protected] -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\Wallpaper [email protected] -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 2 IoCs
pid Process 1228 taskkill.exe 1960 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico" [email protected] -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1228 taskkill.exe Token: SeDebugPrivilege 1960 taskkill.exe Token: SeIncreaseQuotaPrivilege 1536 WMIC.exe Token: SeSecurityPrivilege 1536 WMIC.exe Token: SeTakeOwnershipPrivilege 1536 WMIC.exe Token: SeLoadDriverPrivilege 1536 WMIC.exe Token: SeSystemProfilePrivilege 1536 WMIC.exe Token: SeSystemtimePrivilege 1536 WMIC.exe Token: SeProfSingleProcessPrivilege 1536 WMIC.exe Token: SeIncBasePriorityPrivilege 1536 WMIC.exe Token: SeCreatePagefilePrivilege 1536 WMIC.exe Token: SeBackupPrivilege 1536 WMIC.exe Token: SeRestorePrivilege 1536 WMIC.exe Token: SeShutdownPrivilege 1536 WMIC.exe Token: SeDebugPrivilege 1536 WMIC.exe Token: SeSystemEnvironmentPrivilege 1536 WMIC.exe Token: SeRemoteShutdownPrivilege 1536 WMIC.exe Token: SeUndockPrivilege 1536 WMIC.exe Token: SeManageVolumePrivilege 1536 WMIC.exe Token: 33 1536 WMIC.exe Token: 34 1536 WMIC.exe Token: 35 1536 WMIC.exe Token: SeIncreaseQuotaPrivilege 1536 WMIC.exe Token: SeSecurityPrivilege 1536 WMIC.exe Token: SeTakeOwnershipPrivilege 1536 WMIC.exe Token: SeLoadDriverPrivilege 1536 WMIC.exe Token: SeSystemProfilePrivilege 1536 WMIC.exe Token: SeSystemtimePrivilege 1536 WMIC.exe Token: SeProfSingleProcessPrivilege 1536 WMIC.exe Token: SeIncBasePriorityPrivilege 1536 WMIC.exe Token: SeCreatePagefilePrivilege 1536 WMIC.exe Token: SeBackupPrivilege 1536 WMIC.exe Token: SeRestorePrivilege 1536 WMIC.exe Token: SeShutdownPrivilege 1536 WMIC.exe Token: SeDebugPrivilege 1536 WMIC.exe Token: SeSystemEnvironmentPrivilege 1536 WMIC.exe Token: SeRemoteShutdownPrivilege 1536 WMIC.exe Token: SeUndockPrivilege 1536 WMIC.exe Token: SeManageVolumePrivilege 1536 WMIC.exe Token: 33 1536 WMIC.exe Token: 34 1536 WMIC.exe Token: 35 1536 WMIC.exe Token: SeIncreaseQuotaPrivilege 552 WMIC.exe Token: SeSecurityPrivilege 552 WMIC.exe Token: SeTakeOwnershipPrivilege 552 WMIC.exe Token: SeLoadDriverPrivilege 552 WMIC.exe Token: SeSystemProfilePrivilege 552 WMIC.exe Token: SeSystemtimePrivilege 552 WMIC.exe Token: SeProfSingleProcessPrivilege 552 WMIC.exe Token: SeIncBasePriorityPrivilege 552 WMIC.exe Token: SeCreatePagefilePrivilege 552 WMIC.exe Token: SeBackupPrivilege 552 WMIC.exe Token: SeRestorePrivilege 552 WMIC.exe Token: SeShutdownPrivilege 552 WMIC.exe Token: SeDebugPrivilege 552 WMIC.exe Token: SeSystemEnvironmentPrivilege 552 WMIC.exe Token: SeRemoteShutdownPrivilege 552 WMIC.exe Token: SeUndockPrivilege 552 WMIC.exe Token: SeManageVolumePrivilege 552 WMIC.exe Token: 33 552 WMIC.exe Token: 34 552 WMIC.exe Token: 35 552 WMIC.exe Token: SeIncreaseQuotaPrivilege 552 WMIC.exe Token: SeSecurityPrivilege 552 WMIC.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1780 [email protected] 1780 [email protected] -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1780 wrote to memory of 1420 1780 [email protected] 28 PID 1780 wrote to memory of 1420 1780 [email protected] 28 PID 1780 wrote to memory of 1420 1780 [email protected] 28 PID 1780 wrote to memory of 1420 1780 [email protected] 28 PID 1420 wrote to memory of 1228 1420 cmd.exe 30 PID 1420 wrote to memory of 1228 1420 cmd.exe 30 PID 1420 wrote to memory of 1228 1420 cmd.exe 30 PID 1420 wrote to memory of 1228 1420 cmd.exe 30 PID 1420 wrote to memory of 1960 1420 cmd.exe 32 PID 1420 wrote to memory of 1960 1420 cmd.exe 32 PID 1420 wrote to memory of 1960 1420 cmd.exe 32 PID 1420 wrote to memory of 1960 1420 cmd.exe 32 PID 1420 wrote to memory of 1536 1420 cmd.exe 33 PID 1420 wrote to memory of 1536 1420 cmd.exe 33 PID 1420 wrote to memory of 1536 1420 cmd.exe 33 PID 1420 wrote to memory of 1536 1420 cmd.exe 33 PID 1420 wrote to memory of 552 1420 cmd.exe 34 PID 1420 wrote to memory of 552 1420 cmd.exe 34 PID 1420 wrote to memory of 552 1420 cmd.exe 34 PID 1420 wrote to memory of 552 1420 cmd.exe 34 PID 1420 wrote to memory of 1372 1420 cmd.exe 35 PID 1420 wrote to memory of 1372 1420 cmd.exe 35 PID 1420 wrote to memory of 1372 1420 cmd.exe 35 PID 1420 wrote to memory of 1372 1420 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"1⤵
- Enumerates connected drives
- Modifies WinLogon
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1228
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' set FullName='UR NEXT'3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1536
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' rename 'UR NEXT'3⤵
- Suspicious use of AdjustPrivilegeToken
PID:552
-
-
C:\Windows\SysWOW64\shutdown.exeshutdown /f /r /t 03⤵PID:1372
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:568
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:1692
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
403B
MD56fbd6ce25307749d6e0a66ebbc0264e7
SHA1faee71e2eac4c03b96aabecde91336a6510fff60
SHA256e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690
SHA51235a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064
-
Filesize
76KB
MD59232120b6ff11d48a90069b25aa30abc
SHA197bb45f4076083fca037eee15d001fd284e53e47
SHA25670faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be
SHA512b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877
-
Filesize
396B
MD59037ebf0a18a1c17537832bc73739109
SHA11d951dedfa4c172a1aa1aae096cfb576c1fb1d60
SHA25638c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48
SHA5124fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f
-
Filesize
771B
MD5a9401e260d9856d1134692759d636e92
SHA14141d3c60173741e14f36dfe41588bb2716d2867
SHA256b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7
SHA5125cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6