Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02/10/2022, 00:23
Static task
static1
Behavioral task
behavioral1
Sample
3fda80aa592ed472876f1bfe25570a8b8a7366883ccf7a4a705deb1db7bbea25.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
3fda80aa592ed472876f1bfe25570a8b8a7366883ccf7a4a705deb1db7bbea25.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
3fda80aa592ed472876f1bfe25570a8b8a7366883ccf7a4a705deb1db7bbea25.exe
-
Size
77KB
-
MD5
6ff07ca2d5d498017d6187c25e9f2748
-
SHA1
331b9880c951b233b0760c20cfa3a0172ddb879b
-
SHA256
3fda80aa592ed472876f1bfe25570a8b8a7366883ccf7a4a705deb1db7bbea25
-
SHA512
cf37af5827bfd372789c6a3ca34c3146b65476c24e923d076b079006e071397c63b4aa9a2b322864196398e849c13e26cd96913b4cbdf568e9149132203d93fe
-
SSDEEP
1536:0tU9goIw15Bx8pEttgdO/mXpgWXOJgQmmogDcMH5fCVsJVafuegWXAi+oX9tWV0x:MU9goIw15Bx8pEttgdO/mXpgWXOJgQmv
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" noubu.exe -
Executes dropped EXE 1 IoCs
pid Process 1192 noubu.exe -
Loads dropped DLL 2 IoCs
pid Process 1636 3fda80aa592ed472876f1bfe25570a8b8a7366883ccf7a4a705deb1db7bbea25.exe 1636 3fda80aa592ed472876f1bfe25570a8b8a7366883ccf7a4a705deb1db7bbea25.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ noubu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\noubu = "C:\\Users\\Admin\\noubu.exe" noubu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe 1192 noubu.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1636 3fda80aa592ed472876f1bfe25570a8b8a7366883ccf7a4a705deb1db7bbea25.exe 1192 noubu.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1636 wrote to memory of 1192 1636 3fda80aa592ed472876f1bfe25570a8b8a7366883ccf7a4a705deb1db7bbea25.exe 28 PID 1636 wrote to memory of 1192 1636 3fda80aa592ed472876f1bfe25570a8b8a7366883ccf7a4a705deb1db7bbea25.exe 28 PID 1636 wrote to memory of 1192 1636 3fda80aa592ed472876f1bfe25570a8b8a7366883ccf7a4a705deb1db7bbea25.exe 28 PID 1636 wrote to memory of 1192 1636 3fda80aa592ed472876f1bfe25570a8b8a7366883ccf7a4a705deb1db7bbea25.exe 28 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18 PID 1192 wrote to memory of 1636 1192 noubu.exe 18
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fda80aa592ed472876f1bfe25570a8b8a7366883ccf7a4a705deb1db7bbea25.exe"C:\Users\Admin\AppData\Local\Temp\3fda80aa592ed472876f1bfe25570a8b8a7366883ccf7a4a705deb1db7bbea25.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\noubu.exe"C:\Users\Admin\noubu.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77KB
MD57b84b7aef210aac5449e153bcd2a6cfd
SHA109a53657165a413a050c73598f8f860d20132b13
SHA25634c8e218e2dd2e72381566db86f161616801739bb1b0060d06d05ba098fb0fb7
SHA512f0ef94f158a053cec2ee51c51f1fd118ae0ad3d7e1e573d964ff392893b9f3dfc041181d6167e4212fce9d70fa81d9f1aa8502e8b061e231359fc703a5276130
-
Filesize
77KB
MD57b84b7aef210aac5449e153bcd2a6cfd
SHA109a53657165a413a050c73598f8f860d20132b13
SHA25634c8e218e2dd2e72381566db86f161616801739bb1b0060d06d05ba098fb0fb7
SHA512f0ef94f158a053cec2ee51c51f1fd118ae0ad3d7e1e573d964ff392893b9f3dfc041181d6167e4212fce9d70fa81d9f1aa8502e8b061e231359fc703a5276130
-
Filesize
77KB
MD57b84b7aef210aac5449e153bcd2a6cfd
SHA109a53657165a413a050c73598f8f860d20132b13
SHA25634c8e218e2dd2e72381566db86f161616801739bb1b0060d06d05ba098fb0fb7
SHA512f0ef94f158a053cec2ee51c51f1fd118ae0ad3d7e1e573d964ff392893b9f3dfc041181d6167e4212fce9d70fa81d9f1aa8502e8b061e231359fc703a5276130
-
Filesize
77KB
MD57b84b7aef210aac5449e153bcd2a6cfd
SHA109a53657165a413a050c73598f8f860d20132b13
SHA25634c8e218e2dd2e72381566db86f161616801739bb1b0060d06d05ba098fb0fb7
SHA512f0ef94f158a053cec2ee51c51f1fd118ae0ad3d7e1e573d964ff392893b9f3dfc041181d6167e4212fce9d70fa81d9f1aa8502e8b061e231359fc703a5276130