Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    152s
  • max time network
    55s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2022, 20:35

General

  • Target

    2a5212d565e16869e55a2c85d3cf2e915b59ef79d1552f80ec6c2aa5e6e9c574.exe

  • Size

    156KB

  • MD5

    63312be0311e6d05c06de72d82c92980

  • SHA1

    e75cc1477f7532d3b9f413a18f7d5cade640d93b

  • SHA256

    2a5212d565e16869e55a2c85d3cf2e915b59ef79d1552f80ec6c2aa5e6e9c574

  • SHA512

    7689cc4753d0b45d2305c3423352c3d952a3a608fec8b0dda74911d96b66c16a34ea16384c8724ba340770da9fe0825556f99f4f558ac46a056b90e4d134c70f

  • SSDEEP

    3072:7vo0kPEdu3kSESulCVRgQPwU3MppI1zePMThBN4oQZiEYV:Doiu3ESul9LI1zeEhZWo

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 50 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a5212d565e16869e55a2c85d3cf2e915b59ef79d1552f80ec6c2aa5e6e9c574.exe
    "C:\Users\Admin\AppData\Local\Temp\2a5212d565e16869e55a2c85d3cf2e915b59ef79d1552f80ec6c2aa5e6e9c574.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:908
    • C:\Users\Admin\qeoew.exe
      "C:\Users\Admin\qeoew.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1964

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\qeoew.exe

    Filesize

    156KB

    MD5

    617450cd99b312dd3ece2d0482cf10c1

    SHA1

    dd5e2b82c2141d115147a01112f514df3da0ce82

    SHA256

    ebf01b3ec067a5540b94e005fa1929dc7153b62adfc880976690ab711e22a799

    SHA512

    1a7965044c992baca97a5020c2ae4dae2cd4e656282272ee8435fa73375b25c34ac50b2001764ee93cdfd65c288c35a65320070047b11878d2efcbc71cccfbf5

  • C:\Users\Admin\qeoew.exe

    Filesize

    156KB

    MD5

    617450cd99b312dd3ece2d0482cf10c1

    SHA1

    dd5e2b82c2141d115147a01112f514df3da0ce82

    SHA256

    ebf01b3ec067a5540b94e005fa1929dc7153b62adfc880976690ab711e22a799

    SHA512

    1a7965044c992baca97a5020c2ae4dae2cd4e656282272ee8435fa73375b25c34ac50b2001764ee93cdfd65c288c35a65320070047b11878d2efcbc71cccfbf5

  • \Users\Admin\qeoew.exe

    Filesize

    156KB

    MD5

    617450cd99b312dd3ece2d0482cf10c1

    SHA1

    dd5e2b82c2141d115147a01112f514df3da0ce82

    SHA256

    ebf01b3ec067a5540b94e005fa1929dc7153b62adfc880976690ab711e22a799

    SHA512

    1a7965044c992baca97a5020c2ae4dae2cd4e656282272ee8435fa73375b25c34ac50b2001764ee93cdfd65c288c35a65320070047b11878d2efcbc71cccfbf5

  • \Users\Admin\qeoew.exe

    Filesize

    156KB

    MD5

    617450cd99b312dd3ece2d0482cf10c1

    SHA1

    dd5e2b82c2141d115147a01112f514df3da0ce82

    SHA256

    ebf01b3ec067a5540b94e005fa1929dc7153b62adfc880976690ab711e22a799

    SHA512

    1a7965044c992baca97a5020c2ae4dae2cd4e656282272ee8435fa73375b25c34ac50b2001764ee93cdfd65c288c35a65320070047b11878d2efcbc71cccfbf5

  • memory/908-56-0x0000000075131000-0x0000000075133000-memory.dmp

    Filesize

    8KB