Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
16/03/2023, 06:47
Static task
static1
Behavioral task
behavioral1
Sample
URGENT REGUEST.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
URGENT REGUEST.exe
Resource
win10v2004-20230220-en
General
-
Target
URGENT REGUEST.exe
-
Size
1.3MB
-
MD5
374f701da5f081b20a7d31f509200d45
-
SHA1
0c7f5c87e22d6f836f3857b768e45562ca715f7a
-
SHA256
13c4ed220256fb2dfb95631c042d9eadf977bd2dc5e4aa0898ab99bd16d33ef7
-
SHA512
139a3c672f9968304a06ba8bad39ca2fd560aada5e64946566d1f283f0c9dbad10436323b01adc08eb6ec2a6703306ae93b6c356567d021660d830928db71396
-
SSDEEP
24576:sdNlhF5RDdMkri7YqTUk0l4VsIzj7BXUcZrG5Y0MCh8riI:g5YY2VG4VrBkcZrG5nMCU
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 1736 wlanext.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1700 set thread context of 1408 1700 URGENT REGUEST.exe 32 PID 1408 set thread context of 1344 1408 RegSvcs.exe 15 PID 1736 set thread context of 1344 1736 wlanext.exe 15 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 268 schtasks.exe -
description ioc Process Key created \Registry\User\S-1-5-21-3499517378-2376672570-1134980332-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wlanext.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 1700 URGENT REGUEST.exe 1700 URGENT REGUEST.exe 524 powershell.exe 1408 RegSvcs.exe 1408 RegSvcs.exe 1408 RegSvcs.exe 1408 RegSvcs.exe 1736 wlanext.exe 1736 wlanext.exe 1736 wlanext.exe 1736 wlanext.exe 1736 wlanext.exe 1736 wlanext.exe 1736 wlanext.exe 1736 wlanext.exe 1736 wlanext.exe 1736 wlanext.exe 1736 wlanext.exe 1736 wlanext.exe 1736 wlanext.exe 1736 wlanext.exe 1736 wlanext.exe 1736 wlanext.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1344 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 1408 RegSvcs.exe 1408 RegSvcs.exe 1408 RegSvcs.exe 1736 wlanext.exe 1736 wlanext.exe 1736 wlanext.exe 1736 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1700 URGENT REGUEST.exe Token: SeDebugPrivilege 524 powershell.exe Token: SeDebugPrivilege 1408 RegSvcs.exe Token: SeDebugPrivilege 1736 wlanext.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1344 Explorer.EXE 1344 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1344 Explorer.EXE 1344 Explorer.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1700 wrote to memory of 524 1700 URGENT REGUEST.exe 28 PID 1700 wrote to memory of 524 1700 URGENT REGUEST.exe 28 PID 1700 wrote to memory of 524 1700 URGENT REGUEST.exe 28 PID 1700 wrote to memory of 524 1700 URGENT REGUEST.exe 28 PID 1700 wrote to memory of 268 1700 URGENT REGUEST.exe 30 PID 1700 wrote to memory of 268 1700 URGENT REGUEST.exe 30 PID 1700 wrote to memory of 268 1700 URGENT REGUEST.exe 30 PID 1700 wrote to memory of 268 1700 URGENT REGUEST.exe 30 PID 1700 wrote to memory of 1408 1700 URGENT REGUEST.exe 32 PID 1700 wrote to memory of 1408 1700 URGENT REGUEST.exe 32 PID 1700 wrote to memory of 1408 1700 URGENT REGUEST.exe 32 PID 1700 wrote to memory of 1408 1700 URGENT REGUEST.exe 32 PID 1700 wrote to memory of 1408 1700 URGENT REGUEST.exe 32 PID 1700 wrote to memory of 1408 1700 URGENT REGUEST.exe 32 PID 1700 wrote to memory of 1408 1700 URGENT REGUEST.exe 32 PID 1700 wrote to memory of 1408 1700 URGENT REGUEST.exe 32 PID 1700 wrote to memory of 1408 1700 URGENT REGUEST.exe 32 PID 1700 wrote to memory of 1408 1700 URGENT REGUEST.exe 32 PID 1344 wrote to memory of 1736 1344 Explorer.EXE 33 PID 1344 wrote to memory of 1736 1344 Explorer.EXE 33 PID 1344 wrote to memory of 1736 1344 Explorer.EXE 33 PID 1344 wrote to memory of 1736 1344 Explorer.EXE 33 PID 1736 wrote to memory of 1276 1736 wlanext.exe 36 PID 1736 wrote to memory of 1276 1736 wlanext.exe 36 PID 1736 wrote to memory of 1276 1736 wlanext.exe 36 PID 1736 wrote to memory of 1276 1736 wlanext.exe 36 PID 1736 wrote to memory of 1276 1736 wlanext.exe 36
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Users\Admin\AppData\Local\Temp\URGENT REGUEST.exe"C:\Users\Admin\AppData\Local\Temp\URGENT REGUEST.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KQpFFfEqQXzcn.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:524
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KQpFFfEqQXzcn" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAD70.tmp"3⤵
- Creates scheduled task(s)
PID:268
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1408
-
-
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1276
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
553KB
MD55e2d04cb2fae4e811ca35675c472f5fc
SHA16e2359f8e81f1a1122d1fb50b064878f2aaefc68
SHA256dd46a298ab90ca9ba8a1f633f20abe2dcb805596b5aa68dcb84cce99e3a56be1
SHA51253c8701768ee4a43a6b2095af00aa5f2c53445021a91d3567d02cf8157c7b7c4e629c5c70bb24697d365a7c41c791af0c68b511ab3cf5f356d9d929618421d05
-
Filesize
1KB
MD520dbfcb6f15cc467e1def8a8c7cc0dcc
SHA12441ca6778caef007c4ce8a206821d3e51b96c3d
SHA2562587eb9ba507dde4ba2460c9bb7c2612160fa61a27e9dde88535859a4728a06d
SHA512053b9b4e15f49271cb8def5d69ff4f5024778ae3daf030789a1ef349fd0ddcd085a0b8b91c57a4595c242c1aa673a9e3b212125cd9da301880c9c67d0176e2c5
-
Filesize
1.0MB
MD5f1e5f58f9eb43ecec773acbdb410b888
SHA1f1b8076b0bbde696694bbc0ab259a77893839464
SHA256a15fd84ee61b54c92bb099dfb78226548f43d550c67fb6adf4cce3d064ab1c14
SHA5120aff96430dd99bb227285fefc258014c301f85216c84e40f45702d26cdd7e77261a41fd3811d686f5fb2ee363cc651a014e8ffa339384004cece645a36486456