Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

3

LethalComp...config

windows10-2004-x64

3

Seven.deps.json

windows10-2004-x64

3

Seven.exe

windows10-2004-x64

1

Seven.exe

windows10-2004-x64

6

Seven.runt...g.json

windows10-2004-x64

3

Analysis

  • max time kernel
    75s
  • max time network
    72s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/04/2024, 23:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Seven.exe

  • Size

    139KB

  • MD5

    350273e0d2e8a9ba5e37b791016112a0

  • SHA1

    5bfb616dd46f67d1dcbbff55ca5917ffc1ec8b71

  • SHA256

    27297bf8139bea755e9297e7e1489d827d1ee09a8e1d94a3ef96a2edb2de61ba

  • SHA512

    b1e768524b4e840bd5f4163205122dd1725583245d8bfd5cbd89eb21a5fb9d33aff1b7b0ca42132b7dae469e025068ae663b3b02ad59927a558dc340141ec91b

  • SSDEEP

    3072:miS4omp03WQthI/9S3BZi08iRQ1G78IVn27bSfcJd8ltw:miS4ompB9S3BZi0a1G78IVhcTct

Score
6/10

Malware Config

Signatures

  • Drops desktop.ini file(s) 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Seven.exe
    "C:\Users\Admin\AppData\Local\Temp\Seven.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -ExecutionPolicy Bypass -Command "Copy-Item -Path '' -Destination '$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup'"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3508
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3400
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\EncryptedLog.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:3080

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ufeayd2h.qfj.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\Desktop\EncryptedLog.txt
      Filesize

      53B

      MD5

      10fd8e2b62459b2d141bd134b1681ef6

      SHA1

      d4a97bf06865600458c39951fe72545b6a2beefd

      SHA256

      4fbe6f30292ab5cf3ad2e29fd84098a5c6ae0319e056213a29b16b640cda6671

      SHA512

      445108d0ec95aba7002ae4c290faa02ad2f9c56d03a6d1b915273ee72249cd8cf9304057a906059201f3aba1af9cf2087375402a35f57406cf14e9c594dfe2de

      Download Submit

    • memory/3508-39-0x0000024C0E760000-0x0000024C0E782000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3508-49-0x0000024C26D60000-0x0000024C26D70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3508-50-0x0000024C26D60000-0x0000024C26D70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3508-48-0x00007FF83DD60000-0x00007FF83E821000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3508-53-0x00007FF83DD60000-0x00007FF83E821000-memory.dmp

      Filesize

      10.8MB

      Download