Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

7

1001a8c7f3...87.exe

windows7-x64

1001a8c7f3...87.exe

windows10-2004-x64

Analysis

  • max time kernel
    6s
  • max time network
    6s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    08/08/2024, 06:47 UTC

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe

  • Size

    1.2MB

  • MD5

    e0340f456f76993fc047bc715dfdae6a

  • SHA1

    d47f6f7e553c4bc44a2fe88c2054de901390b2d7

  • SHA256

    1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887

  • SHA512

    cac10c675d81630eefca49b2ac4cc83f3eb29115ee28a560db4d6c33f70bf24980e48bb48ce20375349736e3e6b23a1ca504b9367917328853fffc5539626bbc

  • SSDEEP

    24576:/4GHnhIzOasqUgEOr69/BRH7dCibu+XoAX0eOTva49ttrSpt81ekHPyWe:AshdasJgEOrGBRxCihH7OO49rveMG

Score
9/10
bootkitdiscoverypersistenceransomwareupx

Malware Config

Signatures

  • Renames multiple (189) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
    "C:\Users\Admin\AppData\Local\Temp\1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:528
    • C:\Users\Admin\81857530\protect.exe
      "C:\Users\Admin\81857530\protect.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2836
    • C:\Users\Admin\81857530\assembler.exe
      "C:\Users\Admin\81857530\assembler.exe" -f bin "C:\Users\Admin\81857530\boot.asm" -o "C:\Users\Admin\81857530\boot.bin"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2980
    • C:\Users\Admin\81857530\overwrite.exe
      "C:\Users\Admin\81857530\overwrite.exe" "C:\Users\Admin\81857530\boot.bin"
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      PID:3020
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:692
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:1504

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\81857530\boot.asm
        Filesize

        825B

        MD5

        def1219cfb1c0a899e5c4ea32fe29f70

        SHA1

        88aedde59832576480dfc7cd3ee6f54a132588a8

        SHA256

        91e74c438099172b057bedf693d877bd08677d5f2173763986be4974c0970581

        SHA512

        1e735d588cb1bb42324eaff1b9190ec6a8254f419d1ba4a13d03716ff5c102a335532b573a5befb08da90586e5670617066564ef9872f8c415b9a480836df423

        Download Submit

      • C:\Users\Admin\81857530\boot.bin
        Filesize

        512B

        MD5

        90053233e561c8bf7a7b14eda0fa0e84

        SHA1

        16a7138387f7a3366b7da350c598f71de3e1cde2

        SHA256

        a760d8bc77ad8c0c839d4ef162ce44d5897af6fa84e0cc05ecc0747759ea76c2

        SHA512

        63fda509cd02fd9d1374435f95515bc74f1ca8a9650b87d2299f8eee3a1c5a41b1cb8a4e1360c75f876f1dae193fdf4a96eba244683308f34d64d7ce37af2bb4

        Download Submit

      • C:\Users\Admin\Documents\WatchWait.xlsx.locked
        Filesize

        12KB

        MD5

        1b6699b2e2da6e4372cc7618fd1a2b5e

        SHA1

        34b0c8dc2b455a6716ec3d490826352484f325e7

        SHA256

        26d060839ece7d3b0267264d56692fb0995638884266c1f291c2419343902550

        SHA512

        e82c8774c18a7eccb14b4e5b49fe815f415e27bd419ed43326ea62a5b9eb9fed4d489a0374fad2018debef1c79ab415e3b8bf046ec6c8773b1f450accfc9b1a5

        Download Submit

      • \Users\Admin\81857530\assembler.exe
        Filesize

        589KB

        MD5

        7e3cea1f686207563c8369f64ea28e5b

        SHA1

        a1736fd61555841396b0406d5c9ca55c4b6cdf41

        SHA256

        2a5305369edb9c2d7354b2f210e91129e4b8c546b0adf883951ea7bf7ee0f2b2

        SHA512

        4629bc32094bdb030e6c9be247068e7295599203284cb95921c98fcbe3ac60286670be7e5ee9f0374a4017286c7af9db211bd831e3ea871d31a509d7bbc1d6a3

        Download Submit

      • \Users\Admin\81857530\overwrite.exe
        Filesize

        288KB

        MD5

        bc160318a6e8dadb664408fb539cd04b

        SHA1

        4b5eb324eebe3f84e623179a8e2c3743ccf32763

        SHA256

        f2bc5886b0f189976a367a69da8745bf66842f9bba89f8d208790db3dad0c7d2

        SHA512

        51bc090f2821c57d94cfe4399b1f372a68d2811ea0b87d1ac1d6cf8ae39b167038ac21c471b168f1d19c6b213762024abb7e9e5ca311b246b46af0888289e46c

        Download Submit

      • \Users\Admin\81857530\protect.exe
        Filesize

        837KB

        MD5

        fd414666a5b2122c3d9e3e380cf225ed

        SHA1

        de139747b42a807efa8a2dcc1a8304f9a29b862d

        SHA256

        e61a8382f7293e40cb993ddcbcaa53a4e5f07a3d6b6a1bfe5377a1a74a8dcac6

        SHA512

        9ab2163d7deff29c202ed88dba36d5b28f6c67e647a0cadb3d03cc725796e19e5f298c04b1c8523d1d1ee4307e1a5d6f8156fa4021627d6ca1bbd0830695ae05

        Download Submit

      • memory/528-0-0x0000000000C50000-0x0000000000EDE000-memory.dmp

        Filesize

        2.6MB

        Download

      • memory/528-239-0x0000000000C50000-0x0000000000EDE000-memory.dmp

        Filesize

        2.6MB

        Download

      • memory/692-240-0x0000000002D90000-0x0000000002D91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2980-38-0x0000000000400000-0x000000000049B000-memory.dmp

        Filesize

        620KB

        Download

      • memory/3020-48-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.