Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
03/10/2022, 01:38
General
-
Target
05c3352049b6200b125229a07e514b859c6898f71f91f4dc8489c8641616ffd0.exe
-
Size
536KB
-
MD5
4ab05f44a4ee4aeef3fffd08cf3897d0
-
SHA1
51b28c7b2f16458ef3a86e50014902c02a9e5001
-
SHA256
05c3352049b6200b125229a07e514b859c6898f71f91f4dc8489c8641616ffd0
-
SHA512
fb5a8399c8275a1ab1c355e6daf1a3ae5c565bcf44d52a02ea1f4e2cf66db59249942acc49a2a84368fee685e793a334c00b7fe63cdc974d23f36cab9c8641c0
-
SSDEEP
12288:YqXg1EBXgR86OJqW3o8p8BS0TPt9yJLFk6A/sJJeio:YqFBwODYW3Vp8MA0
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Executes dropped EXE 9 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Loads dropped DLL 7 IoCs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Control Panel 4 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 50 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 10 IoCs
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\05c3352049b6200b125229a07e514b859c6898f71f91f4dc8489c8641616ffd0.exe"C:\Users\Admin\AppData\Local\Temp\05c3352049b6200b125229a07e514b859c6898f71f91f4dc8489c8641616ffd0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\05c3352049b6200b125229a07e514b859c6898f71f91f4dc8489c8641616ffd0.exe"C:\Users\Admin\AppData\Local\Temp\05c3352049b6200b125229a07e514b859c6898f71f91f4dc8489c8641616ffd0.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Looks for VirtualBox Guest Additions in registry
- Adds policy Run key to start application
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\openfiles.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\openfiles.exe"3⤵
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Modifies Control Panel
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\openfiles.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\openfiles.exe" -standalone 131074 "-update_flash"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies system certificate store
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\openfiles.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\openfiles.exe" -standalone 131074 "-new_session VzARUpK8yx0SE1wYQsfZdZcCgoto0"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ctfmon.exectfmon.exe5⤵
-
-
C:\Windows\system32\ctfmon.exectfmon.exe5⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\openfiles.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\openfiles.exe" -standalone 131074 "-new_session 3I0RGKTvu76QznWxLqdbDUDBVcooH"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ctfmon.exectfmon.exe5⤵
-
-
C:\Windows\system32\ctfmon.exectfmon.exe5⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\openfiles.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\openfiles.exe" -standalone 131074 "-new_session f0eCeU0P4oyuF5IJPTiBGHhwfmknf"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\ctfmon.exectfmon.exe5⤵
-
-
C:\Windows\system32\ctfmon.exectfmon.exe5⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\openfiles.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\openfiles.exe" -standalone 131074 "-new_session FksWeI6qNOahiacJkxV7WGd7Ixl1L"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\ctfmon.exectfmon.exe5⤵
-
-
C:\Windows\system32\ctfmon.exectfmon.exe5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp75AD.exe"C:\Users\Admin\AppData\Local\Temp\tmp75AD.exe" "C:\Users\Admin\AppData\Local\Temp\05c3352049b6200b125229a07e514b859c6898f71f91f4dc8489c8641616ffd0.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp75AD.exe"C:\Users\Admin\AppData\Local\Temp\tmp75AD.exe" "C:\Users\Admin\AppData\Local\Temp\05c3352049b6200b125229a07e514b859c6898f71f91f4dc8489c8641616ffd0.exe"4⤵
- Executes dropped EXE
- Deletes itself
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 >> nul3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\openfiles.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\openfiles.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5092a72e8904b5d128955d2958fcba64e
SHA16461df4c6fe1eaebf5e56eb8ec12296e08a41ca4
SHA2567f4a9d8d3807b82e60756df1eb579cff6dd291ee9075ef27402a693f04536f95
SHA512af1fb1479ac213d8543fec3f32bf3d07976356599d86fc9d4282cd8aad958f5081d05851cf5790eb5e536b9df068fcb7f7a63d48edd8a57ae657a6135737e416
-
Filesize
21KB
MD5c2da06a44f61d634a4c2426ae4cfab02
SHA1380f3884acc8b2145f111f4a2dc4b29ef745fa06
SHA2569339a0713f24e487ed58622445d42c549a3ed2bfb4e3b0f1494586ce7030afa5
SHA512aec2ecb25a960aa202ede2d84456407d07a2eeb750c1d894559c9b42302f9a1f849e12bb806a149eec5b60daec85614b6b90870aeca23e1577c57e6020d17ce5
-
Filesize
48KB
MD539e531eac86b7de60c14613b35ddb593
SHA19778c8fb472a24a904bc69f108c70c27ff43c1a4
SHA2562420f40814f515f900f1828897e7ebe56fb062df3314dc5af9dd60901718fd60
SHA512aaa99b9af38b9dc15597b941e94d618dce427c909bee3178b1936329eaf2d976af52c09aaec33c075a3499c3636b69e94b3c78fbe0892ad4cc9f534dba545b02
-
Filesize
418B
MD5973d930f29fe6c215682397f8f4b1b8a
SHA12a6ebd33bc063f6d7e9c816f0433d3e2fc32057b
SHA25695fc67315f3ad12830d67b158404f3146f1cc0984e6f4d873a35a9714187380a
SHA5125e5a92f5adc8fdd69f96fa79ca1ed4acc27c07c2db7992dc73a9c9b4c15e3f3d6890a3d65cbc66367cc45423e5a61f9b82c410630f4a692b541b4f4f29e1c9ed
-
Filesize
130KB
MD5fdcba0efdd123661f7d2b869081d063a
SHA131b4adf44b6b24aaaa86908a3c8fd6c1979e2d00
SHA25669ab41c7686f9fdc172ab0e9c05fc593c4d897418a3057e442044c6ed550d33e
SHA5126a2b0847f63e8653518b0a21320ca1730c6f60211e1010b7f0b03647cf65d4b80ba6a1365e809543beb4d03065c161e48012672f398e806775f1e2b542d24bca
-
Filesize
423B
MD51596e78e630642da6f7225ec60343872
SHA190aba3aa9bb643e2b5fc489ffdb2a98de198d2dd
SHA256fbeb7aeee61686c4690629f6643e6bb2d6222811c8548d25e0b83e29df017057
SHA512844f52e0a2053a7a64608c6645c3d1e88d9ea825a6f21b80e6ce83f5b771745a5be5504b527eb551da7505837b5ef821beca1addd8722decc3df4018f8476708
-
Filesize
536KB
MD54ab05f44a4ee4aeef3fffd08cf3897d0
SHA151b28c7b2f16458ef3a86e50014902c02a9e5001
SHA25605c3352049b6200b125229a07e514b859c6898f71f91f4dc8489c8641616ffd0
SHA512fb5a8399c8275a1ab1c355e6daf1a3ae5c565bcf44d52a02ea1f4e2cf66db59249942acc49a2a84368fee685e793a334c00b7fe63cdc974d23f36cab9c8641c0
-
Filesize
536KB
MD54ab05f44a4ee4aeef3fffd08cf3897d0
SHA151b28c7b2f16458ef3a86e50014902c02a9e5001
SHA25605c3352049b6200b125229a07e514b859c6898f71f91f4dc8489c8641616ffd0
SHA512fb5a8399c8275a1ab1c355e6daf1a3ae5c565bcf44d52a02ea1f4e2cf66db59249942acc49a2a84368fee685e793a334c00b7fe63cdc974d23f36cab9c8641c0
-
Filesize
536KB
MD54ab05f44a4ee4aeef3fffd08cf3897d0
SHA151b28c7b2f16458ef3a86e50014902c02a9e5001
SHA25605c3352049b6200b125229a07e514b859c6898f71f91f4dc8489c8641616ffd0
SHA512fb5a8399c8275a1ab1c355e6daf1a3ae5c565bcf44d52a02ea1f4e2cf66db59249942acc49a2a84368fee685e793a334c00b7fe63cdc974d23f36cab9c8641c0
-
Filesize
102KB
MD5cf6f2f08b485aedd4a79fc3aef4ad363
SHA11def00e45ddd8c90b5e1ff863f3fa674912de19e
SHA256803d3d94c542192616f10f5404a6c8ab6dc8af77deedeeada7311e595761428a
SHA5128f31776f2d696600ec8bd353b5560bb7dc8785bc16f3936b898447a50f5d9603fd2e087705b98cb00bd2bb08a8a0a1151aac60798e9f4dd4bbc7542e046b23fb
-
Filesize
131KB
MD5565610e8824c6d659cf326d10c43a57e
SHA199f064329cc6a775b6e79053cfeade56ca732c91
SHA25616974851edd8c910e399da07159335c405a40e996fdfee2e2320687451cbc2ee
SHA5124d9419b15fb69778bf06a37b5ac82371a4acceeb3413b3aa129613fa15563241112e3ab3876ca321c61ba784919dfbb200fe34dae99b347a07436a74f70fac48
-
Filesize
131KB
MD5565610e8824c6d659cf326d10c43a57e
SHA199f064329cc6a775b6e79053cfeade56ca732c91
SHA25616974851edd8c910e399da07159335c405a40e996fdfee2e2320687451cbc2ee
SHA5124d9419b15fb69778bf06a37b5ac82371a4acceeb3413b3aa129613fa15563241112e3ab3876ca321c61ba784919dfbb200fe34dae99b347a07436a74f70fac48
-
Filesize
131KB
MD5565610e8824c6d659cf326d10c43a57e
SHA199f064329cc6a775b6e79053cfeade56ca732c91
SHA25616974851edd8c910e399da07159335c405a40e996fdfee2e2320687451cbc2ee
SHA5124d9419b15fb69778bf06a37b5ac82371a4acceeb3413b3aa129613fa15563241112e3ab3876ca321c61ba784919dfbb200fe34dae99b347a07436a74f70fac48
-
Filesize
131KB
MD5565610e8824c6d659cf326d10c43a57e
SHA199f064329cc6a775b6e79053cfeade56ca732c91
SHA25616974851edd8c910e399da07159335c405a40e996fdfee2e2320687451cbc2ee
SHA5124d9419b15fb69778bf06a37b5ac82371a4acceeb3413b3aa129613fa15563241112e3ab3876ca321c61ba784919dfbb200fe34dae99b347a07436a74f70fac48
-
Filesize
131KB
MD5565610e8824c6d659cf326d10c43a57e
SHA199f064329cc6a775b6e79053cfeade56ca732c91
SHA25616974851edd8c910e399da07159335c405a40e996fdfee2e2320687451cbc2ee
SHA5124d9419b15fb69778bf06a37b5ac82371a4acceeb3413b3aa129613fa15563241112e3ab3876ca321c61ba784919dfbb200fe34dae99b347a07436a74f70fac48
-
Filesize
131KB
MD5565610e8824c6d659cf326d10c43a57e
SHA199f064329cc6a775b6e79053cfeade56ca732c91
SHA25616974851edd8c910e399da07159335c405a40e996fdfee2e2320687451cbc2ee
SHA5124d9419b15fb69778bf06a37b5ac82371a4acceeb3413b3aa129613fa15563241112e3ab3876ca321c61ba784919dfbb200fe34dae99b347a07436a74f70fac48
-
Filesize
131KB
MD5565610e8824c6d659cf326d10c43a57e
SHA199f064329cc6a775b6e79053cfeade56ca732c91
SHA25616974851edd8c910e399da07159335c405a40e996fdfee2e2320687451cbc2ee
SHA5124d9419b15fb69778bf06a37b5ac82371a4acceeb3413b3aa129613fa15563241112e3ab3876ca321c61ba784919dfbb200fe34dae99b347a07436a74f70fac48
-
Filesize
131KB
MD5565610e8824c6d659cf326d10c43a57e
SHA199f064329cc6a775b6e79053cfeade56ca732c91
SHA25616974851edd8c910e399da07159335c405a40e996fdfee2e2320687451cbc2ee
SHA5124d9419b15fb69778bf06a37b5ac82371a4acceeb3413b3aa129613fa15563241112e3ab3876ca321c61ba784919dfbb200fe34dae99b347a07436a74f70fac48
-
Filesize
1KB
MD50d47bcad8370c50864374927388f2cb4
SHA11b97330b545e46ef2b85c99a99ffd6d47a0cbf29
SHA2567a2d781794bb3e154f6d145dace72420086593c6fffb972e1f9794ed935a4e1f
SHA512f866360c3f9b3c5a8772e160f4ed538ce9378a815c2c555cc8720eaed90a455138edd5ef092f71f13ce40e89028a31079532a1ffa2811f43d31da65f05892ce2
-
Filesize
131KB
MD5565610e8824c6d659cf326d10c43a57e
SHA199f064329cc6a775b6e79053cfeade56ca732c91
SHA25616974851edd8c910e399da07159335c405a40e996fdfee2e2320687451cbc2ee
SHA5124d9419b15fb69778bf06a37b5ac82371a4acceeb3413b3aa129613fa15563241112e3ab3876ca321c61ba784919dfbb200fe34dae99b347a07436a74f70fac48
-
Filesize
131KB
MD5565610e8824c6d659cf326d10c43a57e
SHA199f064329cc6a775b6e79053cfeade56ca732c91
SHA25616974851edd8c910e399da07159335c405a40e996fdfee2e2320687451cbc2ee
SHA5124d9419b15fb69778bf06a37b5ac82371a4acceeb3413b3aa129613fa15563241112e3ab3876ca321c61ba784919dfbb200fe34dae99b347a07436a74f70fac48
-
Filesize
131KB
MD5565610e8824c6d659cf326d10c43a57e
SHA199f064329cc6a775b6e79053cfeade56ca732c91
SHA25616974851edd8c910e399da07159335c405a40e996fdfee2e2320687451cbc2ee
SHA5124d9419b15fb69778bf06a37b5ac82371a4acceeb3413b3aa129613fa15563241112e3ab3876ca321c61ba784919dfbb200fe34dae99b347a07436a74f70fac48
-
Filesize
131KB
MD5565610e8824c6d659cf326d10c43a57e
SHA199f064329cc6a775b6e79053cfeade56ca732c91
SHA25616974851edd8c910e399da07159335c405a40e996fdfee2e2320687451cbc2ee
SHA5124d9419b15fb69778bf06a37b5ac82371a4acceeb3413b3aa129613fa15563241112e3ab3876ca321c61ba784919dfbb200fe34dae99b347a07436a74f70fac48
-
Filesize
131KB
MD5565610e8824c6d659cf326d10c43a57e
SHA199f064329cc6a775b6e79053cfeade56ca732c91
SHA25616974851edd8c910e399da07159335c405a40e996fdfee2e2320687451cbc2ee
SHA5124d9419b15fb69778bf06a37b5ac82371a4acceeb3413b3aa129613fa15563241112e3ab3876ca321c61ba784919dfbb200fe34dae99b347a07436a74f70fac48
-
Filesize
131KB
MD5565610e8824c6d659cf326d10c43a57e
SHA199f064329cc6a775b6e79053cfeade56ca732c91
SHA25616974851edd8c910e399da07159335c405a40e996fdfee2e2320687451cbc2ee
SHA5124d9419b15fb69778bf06a37b5ac82371a4acceeb3413b3aa129613fa15563241112e3ab3876ca321c61ba784919dfbb200fe34dae99b347a07436a74f70fac48
-
Filesize
131KB
MD5565610e8824c6d659cf326d10c43a57e
SHA199f064329cc6a775b6e79053cfeade56ca732c91
SHA25616974851edd8c910e399da07159335c405a40e996fdfee2e2320687451cbc2ee
SHA5124d9419b15fb69778bf06a37b5ac82371a4acceeb3413b3aa129613fa15563241112e3ab3876ca321c61ba784919dfbb200fe34dae99b347a07436a74f70fac48
-
Filesize
64KB
-
Filesize
16KB
-
Filesize
64KB
-
Filesize
16KB
-
Filesize
148KB
-
Filesize
64KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
20KB
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
8KB
-
Filesize
44KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
8KB
-
Filesize
360KB