Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
19/03/2023, 15:36
Static task
static1
Behavioral task
behavioral1
Sample
99f16ab6ab670935b5aa5c84b1b5f6bd.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
99f16ab6ab670935b5aa5c84b1b5f6bd.exe
Resource
win10v2004-20230220-en
General
-
Target
99f16ab6ab670935b5aa5c84b1b5f6bd.exe
-
Size
7.3MB
-
MD5
99f16ab6ab670935b5aa5c84b1b5f6bd
-
SHA1
59f375481cdfe246d1ddcaada9941e16dcfda297
-
SHA256
348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057
-
SHA512
845e76e29adb6b7890a3a5c508e27b9731e9872bc791eeefb146b23e0e737280d19e4df1203b719f8e168a8c8a0d8ae1b4bf670da5d264bde1eece8663624d70
-
SSDEEP
196608:Ltu5ODXM16mjmKSRFWuxx6ruj3nK/x9jWuy:L05ODcgR6mix1
Malware Config
Extracted
laplas
http://185.106.92.104
-
api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1652 svcservice.exe -
Loads dropped DLL 1 IoCs
pid Process 1484 99f16ab6ab670935b5aa5c84b1b5f6bd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe" 99f16ab6ab670935b5aa5c84b1b5f6bd.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 1484 99f16ab6ab670935b5aa5c84b1b5f6bd.exe 1484 99f16ab6ab670935b5aa5c84b1b5f6bd.exe 1652 svcservice.exe 1652 svcservice.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1484 99f16ab6ab670935b5aa5c84b1b5f6bd.exe 1652 svcservice.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1484 wrote to memory of 1652 1484 99f16ab6ab670935b5aa5c84b1b5f6bd.exe 27 PID 1484 wrote to memory of 1652 1484 99f16ab6ab670935b5aa5c84b1b5f6bd.exe 27 PID 1484 wrote to memory of 1652 1484 99f16ab6ab670935b5aa5c84b1b5f6bd.exe 27 PID 1484 wrote to memory of 1652 1484 99f16ab6ab670935b5aa5c84b1b5f6bd.exe 27 PID 1484 wrote to memory of 1652 1484 99f16ab6ab670935b5aa5c84b1b5f6bd.exe 27 PID 1484 wrote to memory of 1652 1484 99f16ab6ab670935b5aa5c84b1b5f6bd.exe 27 PID 1484 wrote to memory of 1652 1484 99f16ab6ab670935b5aa5c84b1b5f6bd.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\99f16ab6ab670935b5aa5c84b1b5f6bd.exe"C:\Users\Admin\AppData\Local\Temp\99f16ab6ab670935b5aa5c84b1b5f6bd.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1652
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654.3MB
MD56b6f2137d5d8caba0c08e706886cb66e
SHA12a22bfa7d1cc2b4ae606a475cf8df81daf589a74
SHA256d3a472ea77aba7fb44285630b29d5337e93bf4ea022111ba9b81dd340c6e0e00
SHA51218d2d28cbb961c8d0dbd3db14cfeab947eceb1aaf272464c720dba085420aa18e82ed79875de3c0596055374d208e8755da8c2db60f6108d43c8a66c1d5e96ba
-
Filesize
682.9MB
MD5b2d2cfac4b03f7f2994a42e8db189d2b
SHA15b84b7ede10d092d6932c41cd476c7201cb9db44
SHA256fef525600e229f4be5466d3fbff10e08e9afaf182d93cbd656c6f3ec0f310702
SHA5123b8b5caae99e296a69f5f9b570d7eba23d2309dba2977acd166896df775a851b4d058746adf4f885a1be09384adadd114bb3b9742c35a0b3c799060f32758559
-
Filesize
656.4MB
MD50d7db6e45c9cf9a19df0623a0253e7cb
SHA11b4c7de70e4cdc7be5cbdc310901a5536c290ec5
SHA2565ec1837777260834f4f58789730968eb629990f9c3ee7a53e26a8f4310ebbea3
SHA512a62d34257ad3a77aca823dcc0ee3c342c52fbce48d1a30fb45935365657576b000534eada58fd46bc3ed41d3894d75f5ca4b56a2369341d4a48d3256501a1085