Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    30/10/2022, 06:01

General

  • Target

    678fd707f3ad6810410147102799cf69f30850599d97580474451b1066015f78.exe

  • Size

    136KB

  • MD5

    a279dbfbfa243f061dd117d030b405d0

  • SHA1

    c963fc9c0a6fdcf0c565d3aeaf176ae19a369238

  • SHA256

    678fd707f3ad6810410147102799cf69f30850599d97580474451b1066015f78

  • SHA512

    3ca7a5fbb1d730a6dc03b8c31002461e360b9147d587b3563e1a5b960a5d214b6f4dfa74fe3cdb48831f2dd5dd6e115bb5325681cb56aa42575f2846ec25efe2

  • SSDEEP

    3072:Qy1IFRRG/J9t538E6tZqAwZh5dKzio3CfNynXp5ucK1FaOaB0W+A:H1G9kAwWTSW+A

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 29 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\678fd707f3ad6810410147102799cf69f30850599d97580474451b1066015f78.exe
    "C:\Users\Admin\AppData\Local\Temp\678fd707f3ad6810410147102799cf69f30850599d97580474451b1066015f78.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Users\Admin\moovix.exe
      "C:\Users\Admin\moovix.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2020

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\moovix.exe

    Filesize

    136KB

    MD5

    5189508229f00afb5541119e27400eb1

    SHA1

    30818126f36eba54ddb5b4df2e2c49f07c02c4ab

    SHA256

    3ac16055f2eced1e1279f0ffbf684817a6b166557e5b7496f345c00ec79bc2e9

    SHA512

    cadcd766531a861a342f2cae68eebd33e91d9c0595489d35419865398c1679a19311ac8b14eedec232c2bf0b5e4b18f9c03dd2469e679f63b0236e50d8176066

  • C:\Users\Admin\moovix.exe

    Filesize

    136KB

    MD5

    5189508229f00afb5541119e27400eb1

    SHA1

    30818126f36eba54ddb5b4df2e2c49f07c02c4ab

    SHA256

    3ac16055f2eced1e1279f0ffbf684817a6b166557e5b7496f345c00ec79bc2e9

    SHA512

    cadcd766531a861a342f2cae68eebd33e91d9c0595489d35419865398c1679a19311ac8b14eedec232c2bf0b5e4b18f9c03dd2469e679f63b0236e50d8176066

  • \Users\Admin\moovix.exe

    Filesize

    136KB

    MD5

    5189508229f00afb5541119e27400eb1

    SHA1

    30818126f36eba54ddb5b4df2e2c49f07c02c4ab

    SHA256

    3ac16055f2eced1e1279f0ffbf684817a6b166557e5b7496f345c00ec79bc2e9

    SHA512

    cadcd766531a861a342f2cae68eebd33e91d9c0595489d35419865398c1679a19311ac8b14eedec232c2bf0b5e4b18f9c03dd2469e679f63b0236e50d8176066

  • \Users\Admin\moovix.exe

    Filesize

    136KB

    MD5

    5189508229f00afb5541119e27400eb1

    SHA1

    30818126f36eba54ddb5b4df2e2c49f07c02c4ab

    SHA256

    3ac16055f2eced1e1279f0ffbf684817a6b166557e5b7496f345c00ec79bc2e9

    SHA512

    cadcd766531a861a342f2cae68eebd33e91d9c0595489d35419865398c1679a19311ac8b14eedec232c2bf0b5e4b18f9c03dd2469e679f63b0236e50d8176066

  • memory/2016-56-0x0000000075A71000-0x0000000075A73000-memory.dmp

    Filesize

    8KB