Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
14/04/2023, 20:49
Static task
static1
Behavioral task
behavioral1
Sample
77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe
Resource
win10v2004-20230220-en
General
-
Target
77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe
-
Size
276KB
-
MD5
80ee506064ae22c8ea34ffb2431f2488
-
SHA1
0c5a71beb97751a781203d598e97e5a746df62df
-
SHA256
77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb
-
SHA512
39be470cc5e8f170296371c7cfb7727b402e4c8b6e1ea6d66fe4195aa83f090cb9cf17d941dbb15214ae9e0a20f0015a190eb35a563067f2d645ea3f21609a6c
-
SSDEEP
3072:/3czQeDsw9vCdirSqJ4GGueYDDwOtDUeblv8zMrnwg5o6JP3WJ0nWFok:GQmstdiDJ4xuHDwiDpd8z+w56J+Dak
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\mnpdcisa = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 1488 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\mnpdcisa\ImagePath = "C:\\Windows\\SysWOW64\\mnpdcisa\\vcfazttn.exe" svchost.exe -
Deletes itself 1 IoCs
pid Process 1904 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2016 vcfazttn.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2016 set thread context of 1904 2016 vcfazttn.exe 39 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 320 sc.exe 700 sc.exe 664 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 3cc84e3da374270124edb47d450dd49d084297dce82e72baa49d1dfd287c7d1d6c9c7d0780cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56811d88645763ee7a5644490bdb57c25ee935a01cbf5b454758df21d5904e0a56d1ddc86487c35e0a964419bdce0286682cd0934c9c4e4241dd59e420b36fca06413edc70f3252a0f40948f490bc7d2cef925c0ccbfc8d387287cc186270a4f93824dc8148713fecaf5719c7bd606d19dd03d487a1c48d541de5ad743d73a2e6367b9ec60b440dd49d642df4bdf3279dcbe16d34fdc48e980fe7ad743d05f5a47312db9a4a7123e6a8502df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743d042e955d24 svchost.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1056 wrote to memory of 1708 1056 77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe 28 PID 1056 wrote to memory of 1708 1056 77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe 28 PID 1056 wrote to memory of 1708 1056 77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe 28 PID 1056 wrote to memory of 1708 1056 77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe 28 PID 1056 wrote to memory of 864 1056 77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe 30 PID 1056 wrote to memory of 864 1056 77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe 30 PID 1056 wrote to memory of 864 1056 77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe 30 PID 1056 wrote to memory of 864 1056 77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe 30 PID 1056 wrote to memory of 664 1056 77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe 32 PID 1056 wrote to memory of 664 1056 77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe 32 PID 1056 wrote to memory of 664 1056 77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe 32 PID 1056 wrote to memory of 664 1056 77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe 32 PID 1056 wrote to memory of 320 1056 77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe 34 PID 1056 wrote to memory of 320 1056 77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe 34 PID 1056 wrote to memory of 320 1056 77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe 34 PID 1056 wrote to memory of 320 1056 77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe 34 PID 1056 wrote to memory of 700 1056 77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe 36 PID 1056 wrote to memory of 700 1056 77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe 36 PID 1056 wrote to memory of 700 1056 77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe 36 PID 1056 wrote to memory of 700 1056 77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe 36 PID 2016 wrote to memory of 1904 2016 vcfazttn.exe 39 PID 2016 wrote to memory of 1904 2016 vcfazttn.exe 39 PID 2016 wrote to memory of 1904 2016 vcfazttn.exe 39 PID 2016 wrote to memory of 1904 2016 vcfazttn.exe 39 PID 2016 wrote to memory of 1904 2016 vcfazttn.exe 39 PID 2016 wrote to memory of 1904 2016 vcfazttn.exe 39 PID 1056 wrote to memory of 1488 1056 77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe 40 PID 1056 wrote to memory of 1488 1056 77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe 40 PID 1056 wrote to memory of 1488 1056 77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe 40 PID 1056 wrote to memory of 1488 1056 77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe"C:\Users\Admin\AppData\Local\Temp\77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\mnpdcisa\2⤵PID:1708
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vcfazttn.exe" C:\Windows\SysWOW64\mnpdcisa\2⤵PID:864
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create mnpdcisa binPath= "C:\Windows\SysWOW64\mnpdcisa\vcfazttn.exe /d\"C:\Users\Admin\AppData\Local\Temp\77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:664
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description mnpdcisa "wifi internet conection"2⤵
- Launches sc.exe
PID:320
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start mnpdcisa2⤵
- Launches sc.exe
PID:700
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:1488
-
-
C:\Windows\SysWOW64\mnpdcisa\vcfazttn.exeC:\Windows\SysWOW64\mnpdcisa\vcfazttn.exe /d"C:\Users\Admin\AppData\Local\Temp\77b5c60d25ee308a2c29e9363e105bfc42b3f0c6eb92285b620454f9c952d1eb.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1904
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14.4MB
MD5649d62a13cad40b60bb6a0c44065a574
SHA1fa23cc57af0e2dd40dbc8244731d6467bf6ec7d2
SHA25682dafa715329ca2f026fe1f42c31eefb4a449077b3b11d3916c4091987f5aa03
SHA512d28a121bf33cab395ab737f9d5ec373ba7c528068d15f756fd5f0ab29a1f27d9748111db28bd7aab3d4ec8210fdea5f5cbf8980d52bbba2b1ccf973d7bfb45a3
-
Filesize
14.4MB
MD5649d62a13cad40b60bb6a0c44065a574
SHA1fa23cc57af0e2dd40dbc8244731d6467bf6ec7d2
SHA25682dafa715329ca2f026fe1f42c31eefb4a449077b3b11d3916c4091987f5aa03
SHA512d28a121bf33cab395ab737f9d5ec373ba7c528068d15f756fd5f0ab29a1f27d9748111db28bd7aab3d4ec8210fdea5f5cbf8980d52bbba2b1ccf973d7bfb45a3