Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

v2.exe

windows7-x64

v2.exe

windows10-2004-x64

10

Resubmissions

11/03/2025, 16:12

250311-tnqnzaxn12 10

11/03/2025, 16:12

250311-tnj67axnz5 10

11/03/2025, 16:11

250311-tnb6ksxnz3 10

10/03/2025, 17:20

250310-vwhtrssxct 10

10/03/2025, 16:34

250310-t3aaja1xfv 10

31/01/2025, 15:30

250131-sxp85azjcz 10

14/01/2025, 05:35

250114-gaenbszqam 10

10/01/2025, 23:50

250110-3vv2pswmhj 10

11/12/2024, 15:19

241211-sqgcmssnbr 10

09/12/2024, 01:54

241209-cbqprsxngx 10

Analysis

  • max time kernel
    15s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20241010-de
  • resource tags

    arch:x64arch:x86image:win7-20241010-delocale:de-deos:windows7-x64systemwindows
  • submitted
    11/03/2025, 16:12

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    v2.exe

  • Size

    121KB

  • MD5

    944ed18066724dc6ca3fb3d72e4b9bdf

  • SHA1

    1a19c8793cd783a5bb89777f5bc09e580f97ce29

  • SHA256

    74ce1be7fe32869dbbfe599d7992c306a7ee693eb517924135975daa64a3a92f

  • SHA512

    a4d23cba68205350ae58920479cb52836f9c6dac20d1634993f3758a1e5866f40b0296226341958d1200e1fcd292b8138c41a9ed8911d7abeaa223a06bfe4ad3

  • SSDEEP

    1536:vjVXKif7kaCtHM7qpo6ZQDtFnNi+ti09or2LkLpLik8ICS4Ao3uZs/WVEdz725sK:J1MZwlLk9Bm3uW/Wud2K36cn/wCY

Score
6/10
discovery

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\v2.exe
    "C:\Users\Admin\AppData\Local\Temp\v2.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2056
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2824
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2596
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0
      1⤵
        PID:2540
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x1
        1⤵
          PID:2004

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2540-2-0x0000000002840000-0x0000000002841000-memory.dmp

          Filesize

          4KB

          Download