Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29/10/2022, 16:32
Static task
static1
Behavioral task
behavioral1
Sample
06ba3104a62d7be93356aa9f37347af4e6080e615c36347b6086eaa9a3e4fc2f.exe
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral2
Sample
06ba3104a62d7be93356aa9f37347af4e6080e615c36347b6086eaa9a3e4fc2f.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
General
-
Target
06ba3104a62d7be93356aa9f37347af4e6080e615c36347b6086eaa9a3e4fc2f.exe
-
Size
260KB
-
MD5
851bfcaa840d8924eab1f269c08e2db0
-
SHA1
d5bee3ddc7a1f98d7f6bf70cd6c559cec1b4690a
-
SHA256
06ba3104a62d7be93356aa9f37347af4e6080e615c36347b6086eaa9a3e4fc2f
-
SHA512
3d58dcda88f0b3ffdf51defda5b53bb1639341978511159c63ee44b5160a477c60420a7da569a5913f63f9b8dc31baa9852055c8d70f7201dadc3a67c0911832
-
SSDEEP
1536:qk7YsdcFjfUXhXAXzXkkcUcks98kMEi76WpPUjHmwDrTO:37YS0ykcUcks98kMEfWJuHm0X
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ywkuer.exe -
Executes dropped EXE 1 IoCs
pid Process 1332 ywkuer.exe -
Loads dropped DLL 2 IoCs
pid Process 1600 06ba3104a62d7be93356aa9f37347af4e6080e615c36347b6086eaa9a3e4fc2f.exe 1600 06ba3104a62d7be93356aa9f37347af4e6080e615c36347b6086eaa9a3e4fc2f.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ ywkuer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ywkuer = "C:\\Users\\Admin\\ywkuer.exe" ywkuer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe 1332 ywkuer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1600 06ba3104a62d7be93356aa9f37347af4e6080e615c36347b6086eaa9a3e4fc2f.exe 1332 ywkuer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1600 wrote to memory of 1332 1600 06ba3104a62d7be93356aa9f37347af4e6080e615c36347b6086eaa9a3e4fc2f.exe 27 PID 1600 wrote to memory of 1332 1600 06ba3104a62d7be93356aa9f37347af4e6080e615c36347b6086eaa9a3e4fc2f.exe 27 PID 1600 wrote to memory of 1332 1600 06ba3104a62d7be93356aa9f37347af4e6080e615c36347b6086eaa9a3e4fc2f.exe 27 PID 1600 wrote to memory of 1332 1600 06ba3104a62d7be93356aa9f37347af4e6080e615c36347b6086eaa9a3e4fc2f.exe 27 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26 PID 1332 wrote to memory of 1600 1332 ywkuer.exe 26
Processes
-
C:\Users\Admin\AppData\Local\Temp\06ba3104a62d7be93356aa9f37347af4e6080e615c36347b6086eaa9a3e4fc2f.exe"C:\Users\Admin\AppData\Local\Temp\06ba3104a62d7be93356aa9f37347af4e6080e615c36347b6086eaa9a3e4fc2f.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\ywkuer.exe"C:\Users\Admin\ywkuer.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1332
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
260KB
MD5ad66da753327ee17652371567e3aa7d3
SHA18ff396649b8ee85d39c442c08ba7dd779521d24f
SHA256d9e3f720eb1bf5ff0a985eb901dacbca4a7dece34c817356c8524b9d394cb8f3
SHA5126e4c4deeb8ad0b61dff6889ad6a4da2241c302e6b9a6360652b673632b85b99c73acda78051a5d4d125528b1a4bf7a2e17109212429ab53561e50a7f7c57d93e
-
Filesize
260KB
MD5ad66da753327ee17652371567e3aa7d3
SHA18ff396649b8ee85d39c442c08ba7dd779521d24f
SHA256d9e3f720eb1bf5ff0a985eb901dacbca4a7dece34c817356c8524b9d394cb8f3
SHA5126e4c4deeb8ad0b61dff6889ad6a4da2241c302e6b9a6360652b673632b85b99c73acda78051a5d4d125528b1a4bf7a2e17109212429ab53561e50a7f7c57d93e
-
Filesize
260KB
MD5ad66da753327ee17652371567e3aa7d3
SHA18ff396649b8ee85d39c442c08ba7dd779521d24f
SHA256d9e3f720eb1bf5ff0a985eb901dacbca4a7dece34c817356c8524b9d394cb8f3
SHA5126e4c4deeb8ad0b61dff6889ad6a4da2241c302e6b9a6360652b673632b85b99c73acda78051a5d4d125528b1a4bf7a2e17109212429ab53561e50a7f7c57d93e
-
Filesize
260KB
MD5ad66da753327ee17652371567e3aa7d3
SHA18ff396649b8ee85d39c442c08ba7dd779521d24f
SHA256d9e3f720eb1bf5ff0a985eb901dacbca4a7dece34c817356c8524b9d394cb8f3
SHA5126e4c4deeb8ad0b61dff6889ad6a4da2241c302e6b9a6360652b673632b85b99c73acda78051a5d4d125528b1a4bf7a2e17109212429ab53561e50a7f7c57d93e