Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

8

myfile.exe

windows7_x64

8

myfile.exe

windows10_x64

8

Resubmissions

28/08/2020, 12:47

200828-nd915gcv5n 8

28/08/2020, 12:45

200828-q7w77zyk92 8

28/08/2020, 12:39

200828-h3kmc18276 8

Analysis

  • max time kernel
    87s
  • max time network
    21s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    28/08/2020, 12:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    myfile.exe

  • Size

    4.3MB

  • MD5

    0a438448cebd370318b5294775e2405c

  • SHA1

    60abd37bf94ee406653af60e5b72f1f69f646308

  • SHA256

    1e40bce6e476e4c0485b3f813cff5d493b1e07f52a89b56a31765529b809ea33

  • SHA512

    dc21a068d6aa3ce93a399d2b636a4dc17fd9b2f60c921eaadaef4eb0049c4ef5d1c09479c906660d0fa7bb7e688cdae54a36d9e73e35ac209e469a862c992976

Score
8/10
ransomware

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Modifies Control Panel 2 IoCs
    evasion
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\myfile.exe
    "C:\Users\Admin\AppData\Local\Temp\myfile.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1332
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ABE9.tmp\ABEA.tmp\ABEB.bat C:\Users\Admin\AppData\Local\Temp\myfile.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1056
      • C:\Windows\system32\tree.com
        tree
        3⤵
          PID:1704
        • C:\Windows\system32\tree.com
          tree
          3⤵
            PID:1356
          • C:\Windows\system32\tree.com
            tree
            3⤵
              PID:1784
            • C:\Windows\system32\tree.com
              tree
              3⤵
                PID:1756
              • C:\Windows\system32\tree.com
                tree
                3⤵
                  PID:1820
                • C:\Users\Admin\Desktop\HexInformation.exe
                  HexInformation.exe
                  3⤵
                  • Executes dropped EXE
                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                  • Suspicious use of FindShellTrayWindow
                  PID:1812
                • C:\Users\Admin\Desktop\HexDecryptor.exe
                  HexDecryptor.exe
                  3⤵
                  • Executes dropped EXE
                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                  • Suspicious use of WriteProcessMemory
                  PID:1800
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B24F.tmp\B250.tmp\B260.bat C:\Users\Admin\Desktop\HexDecryptor.exe"
                    4⤵
                    • Loads dropped DLL
                    • Suspicious use of WriteProcessMemory
                    PID:1040
                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WindowsSystemTools.exe
                      WindowsSystemTools.exe
                      5⤵
                      • Executes dropped EXE
                      • Sets desktop wallpaper using registry
                      • Modifies Control Panel
                      PID:844
                • C:\Users\Admin\Desktop\HexLocker.exe
                  HexLocker.exe
                  3⤵
                  • Executes dropped EXE
                  • Sets desktop wallpaper using registry
                  • Modifies Control Panel
                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                  PID:732
            • C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE
              "C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\Fixed.UnlockPublish.ppsx"
              1⤵
              • Suspicious behavior: AddClipboardFormatListener
              • Suspicious use of SetWindowsHookEx
              PID:1492

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/1492-150-0x0000000004C30000-0x0000000004C34000-memory.dmp

              Filesize

              16KB

              Download

            • memory/1596-148-0x000007FEF83B0000-0x000007FEF862A000-memory.dmp

              Filesize

              2.5MB

              Download

            • memory/1812-22-0x0000000074670000-0x0000000074D5E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/1812-26-0x0000000001190000-0x0000000001191000-memory.dmp

              Filesize

              4KB

              Download