Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    143s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    03/03/2023, 07:50

General

  • Target

    9b3d1af51c8dbc42ee1656bc6332704020b4b705318587927134c4d1aa365cd8.exe

  • Size

    5.6MB

  • MD5

    66075c2400e6c97ddc3961659a8089bc

  • SHA1

    c58943a7f21783e5497c1ea0f23682f39220d585

  • SHA256

    9b3d1af51c8dbc42ee1656bc6332704020b4b705318587927134c4d1aa365cd8

  • SHA512

    e413381dfa39d3e554aab6e6da06e11064206be9ada0eb6b9abece2f5860802535b7b5ad24d284132713b13ab0fbe055e0c4e1311e4e29e08f32f63d51b23ef2

  • SSDEEP

    98304:cJdWr3JEpUG0/vz2de4Go0OBbkRcu4rqPe3kwyM5pqyOT0bY2zt99m7DmdvEltzs:cJdWrWu2NGo0VuuuqPe0NMzqyOdAt98M

Score
7/10
upx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9b3d1af51c8dbc42ee1656bc6332704020b4b705318587927134c4d1aa365cd8.exe
    "C:\Users\Admin\AppData\Local\Temp\9b3d1af51c8dbc42ee1656bc6332704020b4b705318587927134c4d1aa365cd8.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1604
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FSCapture\FSCapture.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FSCapture\FSCapture.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:760

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FSCapture\FSCapture.exe

    Filesize

    6.8MB

    MD5

    168c20f64badbad2817b7f8564b15021

    SHA1

    ac57006d01ca7d70ce37019e73868ac99bf9f3b2

    SHA256

    4097ca4039d1e5f6495ce3f84990141899f5da91d495e1ba8e0a53dc9ed2de28

    SHA512

    a4f746e14f68f9279ba9f7a1613f1a2e6c68a998d8b11ff58a667bc95eca9b5595b8d1adb6b78f1b45c80874a35c62cab250cebd108c2a171ddb38e92567eb44

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FSCapture\FSCapture.exe

    Filesize

    6.8MB

    MD5

    168c20f64badbad2817b7f8564b15021

    SHA1

    ac57006d01ca7d70ce37019e73868ac99bf9f3b2

    SHA256

    4097ca4039d1e5f6495ce3f84990141899f5da91d495e1ba8e0a53dc9ed2de28

    SHA512

    a4f746e14f68f9279ba9f7a1613f1a2e6c68a998d8b11ff58a667bc95eca9b5595b8d1adb6b78f1b45c80874a35c62cab250cebd108c2a171ddb38e92567eb44

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FSCapture\Languages\FSC02.fslang

    Filesize

    186KB

    MD5

    d38396129a0654f2baae695de09b2502

    SHA1

    8600df09abd19b4964cc19de5cebe3342eacc334

    SHA256

    39926bc03485e3212d07256be5b0714a985aff8096ded6275bc5c961cd4039cc

    SHA512

    2f8b85c959c31bf7f77bbf33a1f90385a3c1eeba3413b162b0ae795a8df433a4eb4ace5ce4c16fc6f2ba73ef6aa3e0b6f56cda47a4efb9953d50bf3c7330e1ea

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FSCapture\fsc.db

    Filesize

    7KB

    MD5

    e9c904e95c50fb2f75770dec154c546e

    SHA1

    41106529ffb09dc4e752589c11ddb8f92864a195

    SHA256

    daea7457aa9af307179f8337ebd286a59ece673819cb137576a68792b1b594f0

    SHA512

    8e497ffbcbbd32c6f544bb393145cdb96af51ae4f457ed27f9151e1b814c8b4f2e94c75d8ccdfa9b6902fbe93429466f0cefc184b733c45f6462c1f200a22ae9

  • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\FSCapture\FSCapture.exe

    Filesize

    6.8MB

    MD5

    168c20f64badbad2817b7f8564b15021

    SHA1

    ac57006d01ca7d70ce37019e73868ac99bf9f3b2

    SHA256

    4097ca4039d1e5f6495ce3f84990141899f5da91d495e1ba8e0a53dc9ed2de28

    SHA512

    a4f746e14f68f9279ba9f7a1613f1a2e6c68a998d8b11ff58a667bc95eca9b5595b8d1adb6b78f1b45c80874a35c62cab250cebd108c2a171ddb38e92567eb44

  • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\FSCapture\FSCapture.exe

    Filesize

    6.8MB

    MD5

    168c20f64badbad2817b7f8564b15021

    SHA1

    ac57006d01ca7d70ce37019e73868ac99bf9f3b2

    SHA256

    4097ca4039d1e5f6495ce3f84990141899f5da91d495e1ba8e0a53dc9ed2de28

    SHA512

    a4f746e14f68f9279ba9f7a1613f1a2e6c68a998d8b11ff58a667bc95eca9b5595b8d1adb6b78f1b45c80874a35c62cab250cebd108c2a171ddb38e92567eb44

  • memory/760-89-0x00000000000A0000-0x00000000000A1000-memory.dmp

    Filesize

    4KB

  • memory/760-91-0x0000000001170000-0x000000000184E000-memory.dmp

    Filesize

    6.9MB

  • memory/760-93-0x00000000000A0000-0x00000000000A1000-memory.dmp

    Filesize

    4KB

  • memory/1604-76-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

  • memory/1604-90-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB