Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
08/05/2023, 12:04
230508-n83alscc6v 1014/02/2023, 12:24
230214-pljenacf6s 114/02/2023, 12:00
230214-n6rq4adb47 1014/02/2023, 11:52
230214-n1s2zace3s 1024/01/2023, 09:45
230124-lrfn6sad97 10Analysis
-
max time kernel
19s -
max time network
22s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
14/02/2023, 12:00
Static task
static1
Behavioral task
behavioral1
Sample
8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe
Resource
win7-20220812-en
General
-
Target
8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe
-
Size
232KB
-
MD5
f6254a206b59207201f38f69fb018932
-
SHA1
4109d2edf584ce7f8104410eaa02ddae1aa37117
-
SHA256
8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45
-
SHA512
bf6ab8ed99b730a364affed3f341387d82a5fed4ae052f4e897726adae2e963182083a3ba6fa52dfa6f2bd9cc9c3b92643279f46bebf931288545938da5a01b6
-
SSDEEP
3072:aIGGLok59Gt+ECvLFwyvBnlS1g/tK8MJ2LJDhzLrcSb54VIcVTuh:TLoYC+rK+ztK8MY3bIr
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 1644 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\edupxxhy\ImagePath = "C:\\Windows\\SysWOW64\\edupxxhy\\ynbyrxtw.exe" svchost.exe -
Deletes itself 1 IoCs
pid Process 1832 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 112 ynbyrxtw.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 112 set thread context of 1832 112 ynbyrxtw.exe 39 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2012 sc.exe 956 sc.exe 1604 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 9c380e3d0da7f10124edb47d450dd49d084297dce82e72baa49e11fdd478711d08994b5980cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56811dd8548743ce0a4644490bdb07927e4905b03c4f58d3c74bbc4103d29f5a66e16db834b7135d4f10b4c90d8f6127db9a4593494b48d792cd4984d0935fda26916edc70f3252a0f40948f48cbd7921e5915b0cc4f28d387287cc186270a4f93824dc8148743ce1ad5518c7bd606d1dddad0751a1c48d541de5ad743d73a2e6367b9ec60b440dd49d642df4bda4b0ff44e16d34fdc48e980fe7ad743d05f5a47312db9a4a7123e6a8502df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743d042a955d24 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 856 wrote to memory of 1204 856 8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe 26 PID 856 wrote to memory of 1204 856 8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe 26 PID 856 wrote to memory of 1204 856 8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe 26 PID 856 wrote to memory of 1204 856 8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe 26 PID 856 wrote to memory of 1540 856 8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe 28 PID 856 wrote to memory of 1540 856 8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe 28 PID 856 wrote to memory of 1540 856 8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe 28 PID 856 wrote to memory of 1540 856 8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe 28 PID 856 wrote to memory of 956 856 8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe 30 PID 856 wrote to memory of 956 856 8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe 30 PID 856 wrote to memory of 956 856 8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe 30 PID 856 wrote to memory of 956 856 8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe 30 PID 856 wrote to memory of 1604 856 8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe 32 PID 856 wrote to memory of 1604 856 8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe 32 PID 856 wrote to memory of 1604 856 8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe 32 PID 856 wrote to memory of 1604 856 8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe 32 PID 856 wrote to memory of 2012 856 8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe 34 PID 856 wrote to memory of 2012 856 8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe 34 PID 856 wrote to memory of 2012 856 8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe 34 PID 856 wrote to memory of 2012 856 8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe 34 PID 856 wrote to memory of 1644 856 8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe 38 PID 856 wrote to memory of 1644 856 8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe 38 PID 856 wrote to memory of 1644 856 8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe 38 PID 856 wrote to memory of 1644 856 8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe 38 PID 112 wrote to memory of 1832 112 ynbyrxtw.exe 39 PID 112 wrote to memory of 1832 112 ynbyrxtw.exe 39 PID 112 wrote to memory of 1832 112 ynbyrxtw.exe 39 PID 112 wrote to memory of 1832 112 ynbyrxtw.exe 39 PID 112 wrote to memory of 1832 112 ynbyrxtw.exe 39 PID 112 wrote to memory of 1832 112 ynbyrxtw.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe"C:\Users\Admin\AppData\Local\Temp\8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\edupxxhy\2⤵PID:1204
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ynbyrxtw.exe" C:\Windows\SysWOW64\edupxxhy\2⤵PID:1540
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create edupxxhy binPath= "C:\Windows\SysWOW64\edupxxhy\ynbyrxtw.exe /d\"C:\Users\Admin\AppData\Local\Temp\8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:956
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description edupxxhy "wifi internet conection"2⤵
- Launches sc.exe
PID:1604
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start edupxxhy2⤵
- Launches sc.exe
PID:2012
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:1644
-
-
C:\Windows\SysWOW64\edupxxhy\ynbyrxtw.exeC:\Windows\SysWOW64\edupxxhy\ynbyrxtw.exe /d"C:\Users\Admin\AppData\Local\Temp\8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1832
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14.1MB
MD5a26b8b2a3e377ecc320d0f6786b6020f
SHA1100c30429cb88a221f58287110b2f88554e0ba70
SHA256c3abf7fc8a66a932be95f1c5be8e8c29b90d1ce7b60344a8b82234af625074f3
SHA5121aff8ac929835e939e1b4f7e248e8a42d7fb6c4d01de6c5233895ca9afc4b98ea2a78d2b98254c09be88224d88b5d458c1ed566f9f36a0665de138a0fb0cadb2
-
Filesize
14.1MB
MD5a26b8b2a3e377ecc320d0f6786b6020f
SHA1100c30429cb88a221f58287110b2f88554e0ba70
SHA256c3abf7fc8a66a932be95f1c5be8e8c29b90d1ce7b60344a8b82234af625074f3
SHA5121aff8ac929835e939e1b4f7e248e8a42d7fb6c4d01de6c5233895ca9afc4b98ea2a78d2b98254c09be88224d88b5d458c1ed566f9f36a0665de138a0fb0cadb2