Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
62s -
max time network
63s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
15/02/2023, 00:17
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
General
-
Target
file.exe
-
Size
3.0MB
-
MD5
1e65ac9fa6dc0858a16d30df32bba19c
-
SHA1
ad82d6b20571300609c98ba05280ae65d2459b52
-
SHA256
8e312734d6742cb01cbb585fe48c09d8aa49410012f5fb9b98e6a075e9250c37
-
SHA512
59ad21d9d4101ef411191847b3f46c845043029bc4ca2085b93e8a473207fd1762547fa1687c8ba19f39d1b398cef508d4943121667ab6e5d593ff97dca09b34
-
SSDEEP
98304:JHHHqVTRz+QpxXWNx4VYUVemQMPJ/EE4G+81yv2MR:dWz+MMCVYwgOQGsvjR
Malware Config
Extracted
gcleaner
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2008 file.tmp 568 FRec214.exe 1516 sIvyBQw8p8Hp.exe -
Loads dropped DLL 7 IoCs
pid Process 1148 file.exe 2008 file.tmp 2008 file.tmp 2008 file.tmp 2008 file.tmp 2008 file.tmp 568 FRec214.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 9 IoCs
description ioc Process File created C:\Program Files (x86)\FHTsoftFR\FRec214\unins000.dat file.tmp File created C:\Program Files (x86)\FHTsoftFR\FRec214\is-96K42.tmp file.tmp File created C:\Program Files (x86)\FHTsoftFR\FRec214\is-HIC6A.tmp file.tmp File opened for modification C:\Program Files (x86)\FHTsoftFR\FRec214\unins000.dat file.tmp File opened for modification C:\Program Files (x86)\FHTsoftFR\FRec214\FRec214.exe file.tmp File created C:\Program Files (x86)\FHTsoftFR\FRec214\is-EN7M6.tmp file.tmp File created C:\Program Files (x86)\FHTsoftFR\FRec214\is-J4Q13.tmp file.tmp File created C:\Program Files (x86)\FHTsoftFR\FRec214\is-Q5G8U.tmp file.tmp File created C:\Program Files (x86)\FHTsoftFR\FRec214\data\is-IVV8F.tmp file.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 868 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 568 FRec214.exe 568 FRec214.exe 568 FRec214.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 868 taskkill.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1148 wrote to memory of 2008 1148 file.exe 28 PID 1148 wrote to memory of 2008 1148 file.exe 28 PID 1148 wrote to memory of 2008 1148 file.exe 28 PID 1148 wrote to memory of 2008 1148 file.exe 28 PID 1148 wrote to memory of 2008 1148 file.exe 28 PID 1148 wrote to memory of 2008 1148 file.exe 28 PID 1148 wrote to memory of 2008 1148 file.exe 28 PID 2008 wrote to memory of 568 2008 file.tmp 29 PID 2008 wrote to memory of 568 2008 file.tmp 29 PID 2008 wrote to memory of 568 2008 file.tmp 29 PID 2008 wrote to memory of 568 2008 file.tmp 29 PID 568 wrote to memory of 1516 568 FRec214.exe 30 PID 568 wrote to memory of 1516 568 FRec214.exe 30 PID 568 wrote to memory of 1516 568 FRec214.exe 30 PID 568 wrote to memory of 1516 568 FRec214.exe 30 PID 568 wrote to memory of 632 568 FRec214.exe 33 PID 568 wrote to memory of 632 568 FRec214.exe 33 PID 568 wrote to memory of 632 568 FRec214.exe 33 PID 568 wrote to memory of 632 568 FRec214.exe 33 PID 632 wrote to memory of 868 632 cmd.exe 35 PID 632 wrote to memory of 868 632 cmd.exe 35 PID 632 wrote to memory of 868 632 cmd.exe 35 PID 632 wrote to memory of 868 632 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Users\Admin\AppData\Local\Temp\is-1QBEN.tmp\file.tmp"C:\Users\Admin\AppData\Local\Temp\is-1QBEN.tmp\file.tmp" /SL5="$70124,2915537,387072,C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Program Files (x86)\FHTsoftFR\FRec214\FRec214.exe"C:\Program Files (x86)\FHTsoftFR\FRec214\FRec214.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Users\Admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\sIvyBQw8p8Hp.exe
- Executes dropped EXE
PID:1516
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "FRec214.exe" /f & erase "C:\Program Files (x86)\FHTsoftFR\FRec214\FRec214.exe" & exit4⤵
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "FRec214.exe" /f5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:868
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5d4962282718c7f0dab0108079d354bd4
SHA1ebfd54cb13bbf86debb6aceec5fd0508271cf23b
SHA256bd9ea233b21926a058a64c6b191abbae14bcaab7a968a3a19a0a84595fe62f3b
SHA5120632a87bbb7f885929a2fb3b349fda66f8d1a495d713f045f4e52198574cd3edf15b28ecfe3d7a288b4bd2be9055e6b7e4fa9be64648016296340b174cb44b8f
-
Filesize
3.1MB
MD5d4962282718c7f0dab0108079d354bd4
SHA1ebfd54cb13bbf86debb6aceec5fd0508271cf23b
SHA256bd9ea233b21926a058a64c6b191abbae14bcaab7a968a3a19a0a84595fe62f3b
SHA5120632a87bbb7f885929a2fb3b349fda66f8d1a495d713f045f4e52198574cd3edf15b28ecfe3d7a288b4bd2be9055e6b7e4fa9be64648016296340b174cb44b8f
-
Filesize
696KB
MD5d76329b30db65f61d55b20f36b56da26
SHA15e4c77b723ae8f05b3ae6afeee735a4355f00663
SHA256229fbcb11ee7d1f082b6411610e95f726eec4e6737e6b6392719df4f0fe3fa1d
SHA512a291aed0897315e88b6378b1db10ada05bda8c1eccaf73de23f409fe61860ebd1dbb422063e00996584d3b4b100122931d5bbab54a88951706d75efcc660f70d
-
Filesize
696KB
MD5d76329b30db65f61d55b20f36b56da26
SHA15e4c77b723ae8f05b3ae6afeee735a4355f00663
SHA256229fbcb11ee7d1f082b6411610e95f726eec4e6737e6b6392719df4f0fe3fa1d
SHA512a291aed0897315e88b6378b1db10ada05bda8c1eccaf73de23f409fe61860ebd1dbb422063e00996584d3b4b100122931d5bbab54a88951706d75efcc660f70d
-
Filesize
72KB
MD53fb36cb0b7172e5298d2992d42984d06
SHA1439827777df4a337cbb9fa4a4640d0d3fa1738b7
SHA25627ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6
SHA5126b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c
-
Filesize
3.1MB
MD5d4962282718c7f0dab0108079d354bd4
SHA1ebfd54cb13bbf86debb6aceec5fd0508271cf23b
SHA256bd9ea233b21926a058a64c6b191abbae14bcaab7a968a3a19a0a84595fe62f3b
SHA5120632a87bbb7f885929a2fb3b349fda66f8d1a495d713f045f4e52198574cd3edf15b28ecfe3d7a288b4bd2be9055e6b7e4fa9be64648016296340b174cb44b8f
-
Filesize
696KB
MD5d76329b30db65f61d55b20f36b56da26
SHA15e4c77b723ae8f05b3ae6afeee735a4355f00663
SHA256229fbcb11ee7d1f082b6411610e95f726eec4e6737e6b6392719df4f0fe3fa1d
SHA512a291aed0897315e88b6378b1db10ada05bda8c1eccaf73de23f409fe61860ebd1dbb422063e00996584d3b4b100122931d5bbab54a88951706d75efcc660f70d
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
72KB
MD53fb36cb0b7172e5298d2992d42984d06
SHA1439827777df4a337cbb9fa4a4640d0d3fa1738b7
SHA25627ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6
SHA5126b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c