Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    128s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07/04/2024, 18:23

General

  • Target

    Soundpad_Mohamed_m4.rar

  • Size

    6.8MB

  • MD5

    cf8dccf33ebaf63ea18d00bcb24bc5b2

  • SHA1

    cfaeaebfe0cd7c40d0ac9fbd8065a7da5c9f0241

  • SHA256

    703c98b215698a72cb6de36c33e66c821a470a52565ba79da213243d0aed458b

  • SHA512

    75103f5309e5be1bf6c9585129b2c3c694762bca753c6bd2ac4e829bf4c22ade107bcbf0c94458eeff14836f88b374a22daf4a4a344e7f7c3ac9402e799441de

  • SSDEEP

    196608:Ke8fPDaxJLrQo87HeDxWeHnCvozDOv9wKuLZTFj0:Ke83cJ47HGlCvQ0uzk

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Soundpad_Mohamed_m4.rar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Soundpad_Mohamed_m4.rar"
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2644
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO45A0CE08\Readme.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:324
      • C:\Users\Admin\AppData\Local\Temp\7zO45AACD18\Soundpad.exe
        "C:\Users\Admin\AppData\Local\Temp\7zO45AACD18\Soundpad.exe"
        3⤵
        • Executes dropped EXE
        PID:2676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7zO45A0CE08\Readme.txt

    Filesize

    247B

    MD5

    75e1c9f2df88bb43b0171a9cc4869230

    SHA1

    6153db66cce38bbebfe6b42b42ed65f9afb5ed33

    SHA256

    e8cd560f199c8e666ec1cfd460e444479eb2f1360040376a4eb03c3c14316b20

    SHA512

    4a5f57f00889fcb55ec2c7a4204bdd4857ab6bfc41050e50a18452515c31e0dc2dd87aca2bda11840f463ba24c044b1e03a53d4ebe48f8f809ff07b3ee3703b9

  • \Users\Admin\AppData\Local\Temp\7zO45AACD18\Soundpad.exe

    Filesize

    10.9MB

    MD5

    0ae4f60d72e0d1c159505500b8a08ebb

    SHA1

    bb352dafd3c3ebebb4414b799010fe5ebddbef44

    SHA256

    ed3371229647ef876b45cb5940e48b461df58d4e68ad4932f5877eba90c8d379

    SHA512

    88495911df544a04a4e09828ae10b57d3d945c41d6e28964c2d4d077afa43fec1c82a8ff6dcce57a3c7b9e5d02d1e47f800f557b022866f5f7be4a2db9b07536