Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
11/03/2023, 12:37
Static task
static1
Behavioral task
behavioral1
Sample
3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb.exe
Resource
win10v2004-20230220-en
General
-
Target
3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb.exe
-
Size
449KB
-
MD5
010510fa1699192fcf419d8d0979d326
-
SHA1
90e52323fbe695e19b12eb19abadd54140bc8bfa
-
SHA256
3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb
-
SHA512
163f2ea50a79ece7d380d0d34224caab011ea7e6ee4900e184db602feb1f6119abc0478e5a2c5ab73ca8a02ac555f8103787dcad38050ec1b1e60d4acaa979e7
-
SSDEEP
6144:2Ya6r7pbu7cahyvQjwEPM9lKH9bZey354wS/yPulz75aWWvSZf:2YnQVhy7uMSdbZey3if/y2t9aLw
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Control Panel\International\Geo\Nation spfxemttfw.exe -
Executes dropped EXE 2 IoCs
pid Process 1752 spfxemttfw.exe 1372 spfxemttfw.exe -
Loads dropped DLL 4 IoCs
pid Process 1768 3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb.exe 1768 3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb.exe 1752 spfxemttfw.exe 588 ipconfig.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1752 set thread context of 1372 1752 spfxemttfw.exe 29 PID 1372 set thread context of 1236 1372 spfxemttfw.exe 12 PID 588 set thread context of 1236 588 ipconfig.exe 12 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 588 ipconfig.exe -
description ioc Process Key created \Registry\User\S-1-5-21-1283023626-844874658-3193756055-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 1372 spfxemttfw.exe 1372 spfxemttfw.exe 1372 spfxemttfw.exe 1372 spfxemttfw.exe 588 ipconfig.exe 588 ipconfig.exe 588 ipconfig.exe 588 ipconfig.exe 588 ipconfig.exe 588 ipconfig.exe 588 ipconfig.exe 588 ipconfig.exe 588 ipconfig.exe 588 ipconfig.exe 588 ipconfig.exe 588 ipconfig.exe 588 ipconfig.exe 588 ipconfig.exe 588 ipconfig.exe 588 ipconfig.exe 588 ipconfig.exe 588 ipconfig.exe 588 ipconfig.exe 588 ipconfig.exe 588 ipconfig.exe 588 ipconfig.exe 588 ipconfig.exe 588 ipconfig.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1236 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
pid Process 1752 spfxemttfw.exe 1372 spfxemttfw.exe 1372 spfxemttfw.exe 1372 spfxemttfw.exe 588 ipconfig.exe 588 ipconfig.exe 588 ipconfig.exe 588 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1372 spfxemttfw.exe Token: SeDebugPrivilege 588 ipconfig.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1236 Explorer.EXE 1236 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1236 Explorer.EXE 1236 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1768 wrote to memory of 1752 1768 3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb.exe 28 PID 1768 wrote to memory of 1752 1768 3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb.exe 28 PID 1768 wrote to memory of 1752 1768 3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb.exe 28 PID 1768 wrote to memory of 1752 1768 3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb.exe 28 PID 1752 wrote to memory of 1372 1752 spfxemttfw.exe 29 PID 1752 wrote to memory of 1372 1752 spfxemttfw.exe 29 PID 1752 wrote to memory of 1372 1752 spfxemttfw.exe 29 PID 1752 wrote to memory of 1372 1752 spfxemttfw.exe 29 PID 1752 wrote to memory of 1372 1752 spfxemttfw.exe 29 PID 1236 wrote to memory of 588 1236 Explorer.EXE 30 PID 1236 wrote to memory of 588 1236 Explorer.EXE 30 PID 1236 wrote to memory of 588 1236 Explorer.EXE 30 PID 1236 wrote to memory of 588 1236 Explorer.EXE 30 PID 588 wrote to memory of 2000 588 ipconfig.exe 33 PID 588 wrote to memory of 2000 588 ipconfig.exe 33 PID 588 wrote to memory of 2000 588 ipconfig.exe 33 PID 588 wrote to memory of 2000 588 ipconfig.exe 33 PID 588 wrote to memory of 2000 588 ipconfig.exe 33
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Users\Admin\AppData\Local\Temp\3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb.exe"C:\Users\Admin\AppData\Local\Temp\3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\spfxemttfw.exe"C:\Users\Admin\AppData\Local\Temp\spfxemttfw.exe" C:\Users\Admin\AppData\Local\Temp\xzrym.t3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\spfxemttfw.exe"C:\Users\Admin\AppData\Local\Temp\spfxemttfw.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1372
-
-
-
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:2000
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
205KB
MD5bedab9ae8e5cdc69d5cb83a001694e04
SHA172704a6f4251f8fd48ebe7bc61211e305d0f6cbf
SHA2567ca8d817d6c32cefa8872e1d31ec84694440a301f5d1330217c5569774e6dc92
SHA51264159a0fcc2ec5d1ed221ac5a3458fccd8d9cbfcbd6854987775a74eecc759e5a75333a04a324f86991ac6b5e7b7d387952d98e59e8fde05c5cbf50dedc6794a
-
Filesize
52KB
MD58c5a224a012ceed51a7331f83ceff97f
SHA1f98b7e03786d64a0df2837a0a9c189ddae2602e5
SHA256c1cda8b5d7ad7b6bf0fb72ed5e81eba949d3ac9564fe5f58c5d3cc624c21c62d
SHA5124873094ef7f351d119bb87058dd68a662d564aca83472102a973bab5e1d42ee494c14464ad783369e583ad6bdef41486fd745b741c3b78907ea30d1313a2abe2
-
Filesize
52KB
MD58c5a224a012ceed51a7331f83ceff97f
SHA1f98b7e03786d64a0df2837a0a9c189ddae2602e5
SHA256c1cda8b5d7ad7b6bf0fb72ed5e81eba949d3ac9564fe5f58c5d3cc624c21c62d
SHA5124873094ef7f351d119bb87058dd68a662d564aca83472102a973bab5e1d42ee494c14464ad783369e583ad6bdef41486fd745b741c3b78907ea30d1313a2abe2
-
Filesize
52KB
MD58c5a224a012ceed51a7331f83ceff97f
SHA1f98b7e03786d64a0df2837a0a9c189ddae2602e5
SHA256c1cda8b5d7ad7b6bf0fb72ed5e81eba949d3ac9564fe5f58c5d3cc624c21c62d
SHA5124873094ef7f351d119bb87058dd68a662d564aca83472102a973bab5e1d42ee494c14464ad783369e583ad6bdef41486fd745b741c3b78907ea30d1313a2abe2
-
Filesize
52KB
MD58c5a224a012ceed51a7331f83ceff97f
SHA1f98b7e03786d64a0df2837a0a9c189ddae2602e5
SHA256c1cda8b5d7ad7b6bf0fb72ed5e81eba949d3ac9564fe5f58c5d3cc624c21c62d
SHA5124873094ef7f351d119bb87058dd68a662d564aca83472102a973bab5e1d42ee494c14464ad783369e583ad6bdef41486fd745b741c3b78907ea30d1313a2abe2
-
Filesize
5KB
MD583fdbf1ffe575a7636e3686d4a09a5dd
SHA175b33c714338f4205af1ff99dfa81448d1121e39
SHA2561764c92545c4e0ce4584b6b507eff208e466398e29bb17b12371b1934617ffc1
SHA512eca6efe2b7b40ef1266a93d25b56bbdf6b71024d719c2ae0f6a59248af50be901139566916df601e60909e07437dbcca157036a5398a385257654db106753b7a
-
Filesize
423KB
MD5b722723b3142c9d0a3c65e2dabd8003f
SHA1300ce0d33276b0e3cb78a69f83bf172f04fe10b3
SHA256052404f3ffa178f7e3c5353cfc361675661226d5e09984173ebda5c3ea1a229c
SHA5127d0740df1501d3804d608a0d728e854dec2524105ac765c1d7db996ce7b584cde085c6159596955c1029f6a8140ff24b0caf77900264022832a8e0e5cd69b78b
-
Filesize
52KB
MD58c5a224a012ceed51a7331f83ceff97f
SHA1f98b7e03786d64a0df2837a0a9c189ddae2602e5
SHA256c1cda8b5d7ad7b6bf0fb72ed5e81eba949d3ac9564fe5f58c5d3cc624c21c62d
SHA5124873094ef7f351d119bb87058dd68a662d564aca83472102a973bab5e1d42ee494c14464ad783369e583ad6bdef41486fd745b741c3b78907ea30d1313a2abe2
-
Filesize
52KB
MD58c5a224a012ceed51a7331f83ceff97f
SHA1f98b7e03786d64a0df2837a0a9c189ddae2602e5
SHA256c1cda8b5d7ad7b6bf0fb72ed5e81eba949d3ac9564fe5f58c5d3cc624c21c62d
SHA5124873094ef7f351d119bb87058dd68a662d564aca83472102a973bab5e1d42ee494c14464ad783369e583ad6bdef41486fd745b741c3b78907ea30d1313a2abe2
-
Filesize
52KB
MD58c5a224a012ceed51a7331f83ceff97f
SHA1f98b7e03786d64a0df2837a0a9c189ddae2602e5
SHA256c1cda8b5d7ad7b6bf0fb72ed5e81eba949d3ac9564fe5f58c5d3cc624c21c62d
SHA5124873094ef7f351d119bb87058dd68a662d564aca83472102a973bab5e1d42ee494c14464ad783369e583ad6bdef41486fd745b741c3b78907ea30d1313a2abe2
-
Filesize
810KB
MD5c6ec991471d42128268ea10236d9cdb8
SHA1d569350d02db6a118136220da8de40a9973084f1
SHA2561b755cc3093dd45a0df857854aedfeb3c8f3622cff5bc491f2d492ebfa3ef8e0
SHA512a67ed46547b9270c8a5a7a947b375cb6baf3211072f90170aae2bb6ce9c4fe9d7be3e9d782420dcfdbc19a1f232b3be561ca503b80e8dc3e036a62c54cad5b57