Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02/10/2022, 21:48
Static task
static1
Behavioral task
behavioral1
Sample
1d4f39c856cb7ea9ec2d47ce51c9a341e19b9079ac7095adc68c00bfa129d3ad.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
1d4f39c856cb7ea9ec2d47ce51c9a341e19b9079ac7095adc68c00bfa129d3ad.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
1d4f39c856cb7ea9ec2d47ce51c9a341e19b9079ac7095adc68c00bfa129d3ad.exe
-
Size
312KB
-
MD5
095f627782dbaab51a5ebb47f73bf396
-
SHA1
490bcb298e1fd5151f9054e1bb2d4263a86eee8b
-
SHA256
1d4f39c856cb7ea9ec2d47ce51c9a341e19b9079ac7095adc68c00bfa129d3ad
-
SHA512
02d363308fbad94bd97c8ba3dd99ce45ec8c2086bbf9671a05e51bd7b1b495697b0808e7b9605d4847f192d68a9a21d37086a8ce3fb0331465b9b6e86f69686f
-
SSDEEP
6144:pZXePAnwXgYIlqAnIVDC8e5uMSXGJZPBP3Jm90GF8:CowXgYMNIVa5uM1D/U0s8
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" jaifoe.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 1d4f39c856cb7ea9ec2d47ce51c9a341e19b9079ac7095adc68c00bfa129d3ad.exe -
Executes dropped EXE 1 IoCs
pid Process 1396 jaifoe.exe -
Loads dropped DLL 2 IoCs
pid Process 1968 1d4f39c856cb7ea9ec2d47ce51c9a341e19b9079ac7095adc68c00bfa129d3ad.exe 1968 1d4f39c856cb7ea9ec2d47ce51c9a341e19b9079ac7095adc68c00bfa129d3ad.exe -
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /X" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /s" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /h" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /r" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /E" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /O" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /U" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /m" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /l" jaifoe.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /b" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /A" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /a" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /u" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /j" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /Z" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /q" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /w" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /y" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /Q" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /I" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /n" 1d4f39c856cb7ea9ec2d47ce51c9a341e19b9079ac7095adc68c00bfa129d3ad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /d" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /f" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /k" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /D" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /V" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /H" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /W" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /C" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /M" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /i" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /t" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /S" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /Y" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /L" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /J" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /F" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /o" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /R" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /z" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /P" jaifoe.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 1d4f39c856cb7ea9ec2d47ce51c9a341e19b9079ac7095adc68c00bfa129d3ad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /B" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /T" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /v" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /N" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /p" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /n" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /e" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /K" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /c" jaifoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaifoe = "C:\\Users\\Admin\\jaifoe.exe /x" jaifoe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1968 1d4f39c856cb7ea9ec2d47ce51c9a341e19b9079ac7095adc68c00bfa129d3ad.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe 1396 jaifoe.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1968 1d4f39c856cb7ea9ec2d47ce51c9a341e19b9079ac7095adc68c00bfa129d3ad.exe 1396 jaifoe.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1968 wrote to memory of 1396 1968 1d4f39c856cb7ea9ec2d47ce51c9a341e19b9079ac7095adc68c00bfa129d3ad.exe 27 PID 1968 wrote to memory of 1396 1968 1d4f39c856cb7ea9ec2d47ce51c9a341e19b9079ac7095adc68c00bfa129d3ad.exe 27 PID 1968 wrote to memory of 1396 1968 1d4f39c856cb7ea9ec2d47ce51c9a341e19b9079ac7095adc68c00bfa129d3ad.exe 27 PID 1968 wrote to memory of 1396 1968 1d4f39c856cb7ea9ec2d47ce51c9a341e19b9079ac7095adc68c00bfa129d3ad.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d4f39c856cb7ea9ec2d47ce51c9a341e19b9079ac7095adc68c00bfa129d3ad.exe"C:\Users\Admin\AppData\Local\Temp\1d4f39c856cb7ea9ec2d47ce51c9a341e19b9079ac7095adc68c00bfa129d3ad.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Users\Admin\jaifoe.exe"C:\Users\Admin\jaifoe.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1396
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
312KB
MD5e5963132b23a8f841caaf3e8d49dda6a
SHA146f386dd8d047297cfc31f94cc4d68e81f054516
SHA2562b3c76f2211f76f53634d2a6e92c5e122a0700dda070c842939d15a512157387
SHA5128c752343c2188726b3d0b4ffa1ca755962d0ed04d63ce724502d7873d7301639bfc1875998110f85408b023ecc33e0ee81d8925a186f5986495b4b046a3d1ab3
-
Filesize
312KB
MD5e5963132b23a8f841caaf3e8d49dda6a
SHA146f386dd8d047297cfc31f94cc4d68e81f054516
SHA2562b3c76f2211f76f53634d2a6e92c5e122a0700dda070c842939d15a512157387
SHA5128c752343c2188726b3d0b4ffa1ca755962d0ed04d63ce724502d7873d7301639bfc1875998110f85408b023ecc33e0ee81d8925a186f5986495b4b046a3d1ab3
-
Filesize
312KB
MD5e5963132b23a8f841caaf3e8d49dda6a
SHA146f386dd8d047297cfc31f94cc4d68e81f054516
SHA2562b3c76f2211f76f53634d2a6e92c5e122a0700dda070c842939d15a512157387
SHA5128c752343c2188726b3d0b4ffa1ca755962d0ed04d63ce724502d7873d7301639bfc1875998110f85408b023ecc33e0ee81d8925a186f5986495b4b046a3d1ab3
-
Filesize
312KB
MD5e5963132b23a8f841caaf3e8d49dda6a
SHA146f386dd8d047297cfc31f94cc4d68e81f054516
SHA2562b3c76f2211f76f53634d2a6e92c5e122a0700dda070c842939d15a512157387
SHA5128c752343c2188726b3d0b4ffa1ca755962d0ed04d63ce724502d7873d7301639bfc1875998110f85408b023ecc33e0ee81d8925a186f5986495b4b046a3d1ab3