Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
123s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
26/03/2023, 15:20
Behavioral task
behavioral1
Sample
0x00080000000122e6-1069.exe
Resource
win7-20230220-en
General
-
Target
0x00080000000122e6-1069.exe
-
Size
226KB
-
MD5
d6e9b7a43836a7de3b47450c77eb2e12
-
SHA1
22b24298231f07c05fe057f2c5ee0e973260b6b4
-
SHA256
7c9a2a9bc7a70c76bee74d184c9d8928c3e5a709ea577f21e146d007da52365f
-
SHA512
0adb295e7c7086678eb9bedc2a541d00b5a815ffffa3cc9aeaf771fa985f34ba5380a9b2ee98342f8a48240757b2568dcf2c7c5986581a814ce92e8893acdc08
-
SSDEEP
6144:4rzyIG8IcCnD5A2QdY8rWpau1CYUqfhYdMBg:KmlLnD5qdY8Fu1CYUehrBg
Malware Config
Extracted
amadey
3.68
31.41.244.200/games/category/index.php
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 1600 metafor.exe 920 metafor.exe 1044 metafor.exe 1408 metafor.exe -
Loads dropped DLL 1 IoCs
pid Process 1676 0x00080000000122e6-1069.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 608 schtasks.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 1676 wrote to memory of 1600 1676 0x00080000000122e6-1069.exe 28 PID 1676 wrote to memory of 1600 1676 0x00080000000122e6-1069.exe 28 PID 1676 wrote to memory of 1600 1676 0x00080000000122e6-1069.exe 28 PID 1676 wrote to memory of 1600 1676 0x00080000000122e6-1069.exe 28 PID 1600 wrote to memory of 608 1600 metafor.exe 29 PID 1600 wrote to memory of 608 1600 metafor.exe 29 PID 1600 wrote to memory of 608 1600 metafor.exe 29 PID 1600 wrote to memory of 608 1600 metafor.exe 29 PID 1600 wrote to memory of 564 1600 metafor.exe 31 PID 1600 wrote to memory of 564 1600 metafor.exe 31 PID 1600 wrote to memory of 564 1600 metafor.exe 31 PID 1600 wrote to memory of 564 1600 metafor.exe 31 PID 564 wrote to memory of 588 564 cmd.exe 33 PID 564 wrote to memory of 588 564 cmd.exe 33 PID 564 wrote to memory of 588 564 cmd.exe 33 PID 564 wrote to memory of 588 564 cmd.exe 33 PID 564 wrote to memory of 580 564 cmd.exe 34 PID 564 wrote to memory of 580 564 cmd.exe 34 PID 564 wrote to memory of 580 564 cmd.exe 34 PID 564 wrote to memory of 580 564 cmd.exe 34 PID 564 wrote to memory of 1156 564 cmd.exe 35 PID 564 wrote to memory of 1156 564 cmd.exe 35 PID 564 wrote to memory of 1156 564 cmd.exe 35 PID 564 wrote to memory of 1156 564 cmd.exe 35 PID 564 wrote to memory of 1640 564 cmd.exe 36 PID 564 wrote to memory of 1640 564 cmd.exe 36 PID 564 wrote to memory of 1640 564 cmd.exe 36 PID 564 wrote to memory of 1640 564 cmd.exe 36 PID 564 wrote to memory of 340 564 cmd.exe 37 PID 564 wrote to memory of 340 564 cmd.exe 37 PID 564 wrote to memory of 340 564 cmd.exe 37 PID 564 wrote to memory of 340 564 cmd.exe 37 PID 564 wrote to memory of 1580 564 cmd.exe 38 PID 564 wrote to memory of 1580 564 cmd.exe 38 PID 564 wrote to memory of 1580 564 cmd.exe 38 PID 564 wrote to memory of 1580 564 cmd.exe 38 PID 1272 wrote to memory of 920 1272 taskeng.exe 41 PID 1272 wrote to memory of 920 1272 taskeng.exe 41 PID 1272 wrote to memory of 920 1272 taskeng.exe 41 PID 1272 wrote to memory of 920 1272 taskeng.exe 41 PID 1272 wrote to memory of 1044 1272 taskeng.exe 43 PID 1272 wrote to memory of 1044 1272 taskeng.exe 43 PID 1272 wrote to memory of 1044 1272 taskeng.exe 43 PID 1272 wrote to memory of 1044 1272 taskeng.exe 43 PID 1272 wrote to memory of 1408 1272 taskeng.exe 44 PID 1272 wrote to memory of 1408 1272 taskeng.exe 44 PID 1272 wrote to memory of 1408 1272 taskeng.exe 44 PID 1272 wrote to memory of 1408 1272 taskeng.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x00080000000122e6-1069.exe"C:\Users\Admin\AppData\Local\Temp\0x00080000000122e6-1069.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F3⤵
- Creates scheduled task(s)
PID:608
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:588
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "metafor.exe" /P "Admin:N"4⤵PID:580
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "metafor.exe" /P "Admin:R" /E4⤵PID:1156
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1640
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5975271bda" /P "Admin:N"4⤵PID:340
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5975271bda" /P "Admin:R" /E4⤵PID:1580
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {CB380C0F-6EDA-44DA-B82F-FF6E4A6BDCDE} S-1-5-21-2647223082-2067913677-935928954-1000:BPOQNXYB\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exeC:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe2⤵
- Executes dropped EXE
PID:920
-
-
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exeC:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe2⤵
- Executes dropped EXE
PID:1044
-
-
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exeC:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe2⤵
- Executes dropped EXE
PID:1408
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226KB
MD5d6e9b7a43836a7de3b47450c77eb2e12
SHA122b24298231f07c05fe057f2c5ee0e973260b6b4
SHA2567c9a2a9bc7a70c76bee74d184c9d8928c3e5a709ea577f21e146d007da52365f
SHA5120adb295e7c7086678eb9bedc2a541d00b5a815ffffa3cc9aeaf771fa985f34ba5380a9b2ee98342f8a48240757b2568dcf2c7c5986581a814ce92e8893acdc08
-
Filesize
226KB
MD5d6e9b7a43836a7de3b47450c77eb2e12
SHA122b24298231f07c05fe057f2c5ee0e973260b6b4
SHA2567c9a2a9bc7a70c76bee74d184c9d8928c3e5a709ea577f21e146d007da52365f
SHA5120adb295e7c7086678eb9bedc2a541d00b5a815ffffa3cc9aeaf771fa985f34ba5380a9b2ee98342f8a48240757b2568dcf2c7c5986581a814ce92e8893acdc08
-
Filesize
226KB
MD5d6e9b7a43836a7de3b47450c77eb2e12
SHA122b24298231f07c05fe057f2c5ee0e973260b6b4
SHA2567c9a2a9bc7a70c76bee74d184c9d8928c3e5a709ea577f21e146d007da52365f
SHA5120adb295e7c7086678eb9bedc2a541d00b5a815ffffa3cc9aeaf771fa985f34ba5380a9b2ee98342f8a48240757b2568dcf2c7c5986581a814ce92e8893acdc08
-
Filesize
226KB
MD5d6e9b7a43836a7de3b47450c77eb2e12
SHA122b24298231f07c05fe057f2c5ee0e973260b6b4
SHA2567c9a2a9bc7a70c76bee74d184c9d8928c3e5a709ea577f21e146d007da52365f
SHA5120adb295e7c7086678eb9bedc2a541d00b5a815ffffa3cc9aeaf771fa985f34ba5380a9b2ee98342f8a48240757b2568dcf2c7c5986581a814ce92e8893acdc08
-
Filesize
226KB
MD5d6e9b7a43836a7de3b47450c77eb2e12
SHA122b24298231f07c05fe057f2c5ee0e973260b6b4
SHA2567c9a2a9bc7a70c76bee74d184c9d8928c3e5a709ea577f21e146d007da52365f
SHA5120adb295e7c7086678eb9bedc2a541d00b5a815ffffa3cc9aeaf771fa985f34ba5380a9b2ee98342f8a48240757b2568dcf2c7c5986581a814ce92e8893acdc08
-
Filesize
226KB
MD5d6e9b7a43836a7de3b47450c77eb2e12
SHA122b24298231f07c05fe057f2c5ee0e973260b6b4
SHA2567c9a2a9bc7a70c76bee74d184c9d8928c3e5a709ea577f21e146d007da52365f
SHA5120adb295e7c7086678eb9bedc2a541d00b5a815ffffa3cc9aeaf771fa985f34ba5380a9b2ee98342f8a48240757b2568dcf2c7c5986581a814ce92e8893acdc08
-
Filesize
226KB
MD5d6e9b7a43836a7de3b47450c77eb2e12
SHA122b24298231f07c05fe057f2c5ee0e973260b6b4
SHA2567c9a2a9bc7a70c76bee74d184c9d8928c3e5a709ea577f21e146d007da52365f
SHA5120adb295e7c7086678eb9bedc2a541d00b5a815ffffa3cc9aeaf771fa985f34ba5380a9b2ee98342f8a48240757b2568dcf2c7c5986581a814ce92e8893acdc08