Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
03/03/2023, 07:50
Behavioral task
behavioral1
Sample
9b3d1af51c8dbc42ee1656bc6332704020b4b705318587927134c4d1aa365cd8.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
9b3d1af51c8dbc42ee1656bc6332704020b4b705318587927134c4d1aa365cd8.exe
Resource
win10v2004-20230220-en
General
-
Target
9b3d1af51c8dbc42ee1656bc6332704020b4b705318587927134c4d1aa365cd8.exe
-
Size
5.6MB
-
MD5
66075c2400e6c97ddc3961659a8089bc
-
SHA1
c58943a7f21783e5497c1ea0f23682f39220d585
-
SHA256
9b3d1af51c8dbc42ee1656bc6332704020b4b705318587927134c4d1aa365cd8
-
SHA512
e413381dfa39d3e554aab6e6da06e11064206be9ada0eb6b9abece2f5860802535b7b5ad24d284132713b13ab0fbe055e0c4e1311e4e29e08f32f63d51b23ef2
-
SSDEEP
98304:cJdWr3JEpUG0/vz2de4Go0OBbkRcu4rqPe3kwyM5pqyOT0bY2zt99m7DmdvEltzs:cJdWrWu2NGo0VuuuqPe0NMzqyOdAt98M
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 760 FSCapture.exe -
Loads dropped DLL 2 IoCs
pid Process 1604 9b3d1af51c8dbc42ee1656bc6332704020b4b705318587927134c4d1aa365cd8.exe 1604 9b3d1af51c8dbc42ee1656bc6332704020b4b705318587927134c4d1aa365cd8.exe -
resource yara_rule behavioral1/memory/1604-76-0x0000000000400000-0x00000000004DD000-memory.dmp upx behavioral1/memory/1604-90-0x0000000000400000-0x00000000004DD000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: 33 760 FSCapture.exe Token: SeIncBasePriorityPrivilege 760 FSCapture.exe Token: 33 760 FSCapture.exe Token: SeIncBasePriorityPrivilege 760 FSCapture.exe Token: 33 760 FSCapture.exe Token: SeIncBasePriorityPrivilege 760 FSCapture.exe Token: 33 760 FSCapture.exe Token: SeIncBasePriorityPrivilege 760 FSCapture.exe Token: 33 760 FSCapture.exe Token: SeIncBasePriorityPrivilege 760 FSCapture.exe Token: 33 760 FSCapture.exe Token: SeIncBasePriorityPrivilege 760 FSCapture.exe Token: 33 760 FSCapture.exe Token: SeIncBasePriorityPrivilege 760 FSCapture.exe Token: 33 760 FSCapture.exe Token: SeIncBasePriorityPrivilege 760 FSCapture.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 760 FSCapture.exe 760 FSCapture.exe 760 FSCapture.exe 760 FSCapture.exe 760 FSCapture.exe 760 FSCapture.exe 760 FSCapture.exe -
Suspicious use of SendNotifyMessage 7 IoCs
pid Process 760 FSCapture.exe 760 FSCapture.exe 760 FSCapture.exe 760 FSCapture.exe 760 FSCapture.exe 760 FSCapture.exe 760 FSCapture.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 760 FSCapture.exe 760 FSCapture.exe 760 FSCapture.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1604 wrote to memory of 760 1604 9b3d1af51c8dbc42ee1656bc6332704020b4b705318587927134c4d1aa365cd8.exe 28 PID 1604 wrote to memory of 760 1604 9b3d1af51c8dbc42ee1656bc6332704020b4b705318587927134c4d1aa365cd8.exe 28 PID 1604 wrote to memory of 760 1604 9b3d1af51c8dbc42ee1656bc6332704020b4b705318587927134c4d1aa365cd8.exe 28 PID 1604 wrote to memory of 760 1604 9b3d1af51c8dbc42ee1656bc6332704020b4b705318587927134c4d1aa365cd8.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b3d1af51c8dbc42ee1656bc6332704020b4b705318587927134c4d1aa365cd8.exe"C:\Users\Admin\AppData\Local\Temp\9b3d1af51c8dbc42ee1656bc6332704020b4b705318587927134c4d1aa365cd8.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FSCapture\FSCapture.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FSCapture\FSCapture.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:760
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.8MB
MD5168c20f64badbad2817b7f8564b15021
SHA1ac57006d01ca7d70ce37019e73868ac99bf9f3b2
SHA2564097ca4039d1e5f6495ce3f84990141899f5da91d495e1ba8e0a53dc9ed2de28
SHA512a4f746e14f68f9279ba9f7a1613f1a2e6c68a998d8b11ff58a667bc95eca9b5595b8d1adb6b78f1b45c80874a35c62cab250cebd108c2a171ddb38e92567eb44
-
Filesize
6.8MB
MD5168c20f64badbad2817b7f8564b15021
SHA1ac57006d01ca7d70ce37019e73868ac99bf9f3b2
SHA2564097ca4039d1e5f6495ce3f84990141899f5da91d495e1ba8e0a53dc9ed2de28
SHA512a4f746e14f68f9279ba9f7a1613f1a2e6c68a998d8b11ff58a667bc95eca9b5595b8d1adb6b78f1b45c80874a35c62cab250cebd108c2a171ddb38e92567eb44
-
Filesize
186KB
MD5d38396129a0654f2baae695de09b2502
SHA18600df09abd19b4964cc19de5cebe3342eacc334
SHA25639926bc03485e3212d07256be5b0714a985aff8096ded6275bc5c961cd4039cc
SHA5122f8b85c959c31bf7f77bbf33a1f90385a3c1eeba3413b162b0ae795a8df433a4eb4ace5ce4c16fc6f2ba73ef6aa3e0b6f56cda47a4efb9953d50bf3c7330e1ea
-
Filesize
7KB
MD5e9c904e95c50fb2f75770dec154c546e
SHA141106529ffb09dc4e752589c11ddb8f92864a195
SHA256daea7457aa9af307179f8337ebd286a59ece673819cb137576a68792b1b594f0
SHA5128e497ffbcbbd32c6f544bb393145cdb96af51ae4f457ed27f9151e1b814c8b4f2e94c75d8ccdfa9b6902fbe93429466f0cefc184b733c45f6462c1f200a22ae9
-
Filesize
6.8MB
MD5168c20f64badbad2817b7f8564b15021
SHA1ac57006d01ca7d70ce37019e73868ac99bf9f3b2
SHA2564097ca4039d1e5f6495ce3f84990141899f5da91d495e1ba8e0a53dc9ed2de28
SHA512a4f746e14f68f9279ba9f7a1613f1a2e6c68a998d8b11ff58a667bc95eca9b5595b8d1adb6b78f1b45c80874a35c62cab250cebd108c2a171ddb38e92567eb44
-
Filesize
6.8MB
MD5168c20f64badbad2817b7f8564b15021
SHA1ac57006d01ca7d70ce37019e73868ac99bf9f3b2
SHA2564097ca4039d1e5f6495ce3f84990141899f5da91d495e1ba8e0a53dc9ed2de28
SHA512a4f746e14f68f9279ba9f7a1613f1a2e6c68a998d8b11ff58a667bc95eca9b5595b8d1adb6b78f1b45c80874a35c62cab250cebd108c2a171ddb38e92567eb44