Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
84s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30/10/2022, 15:41
Static task
static1
Behavioral task
behavioral1
Sample
77438645917ca43a178aa7b422a46fde8395d4e917465577958d18b638d9bef4.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
77438645917ca43a178aa7b422a46fde8395d4e917465577958d18b638d9bef4.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
77438645917ca43a178aa7b422a46fde8395d4e917465577958d18b638d9bef4.exe
-
Size
280KB
-
MD5
836c37c2a3cb046ad6ee8d26ce6674bf
-
SHA1
b3f05464435f87fcdc2c2e3d7a5f6631080eb8cc
-
SHA256
77438645917ca43a178aa7b422a46fde8395d4e917465577958d18b638d9bef4
-
SHA512
fe2e4aca384be20ce19c55c533732bb2b367388aee086d7efc1a965e0a74d114208964b1ce8e494e5ecd1b07612fdee3728cdebb4ecf89912448549042afbb1f
-
SSDEEP
3072:DkW/vIu2kT/Ozb1/7Vc1tdjZQQLnQhhyBZ8Irfdaqebssot7rFVtWzdbcZgBX:DPWK2bVMJuQ0hhynfdaJqNrtWzC2
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 77438645917ca43a178aa7b422a46fde8395d4e917465577958d18b638d9bef4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" biaog.exe -
Executes dropped EXE 1 IoCs
pid Process 1744 biaog.exe -
Loads dropped DLL 2 IoCs
pid Process 1648 77438645917ca43a178aa7b422a46fde8395d4e917465577958d18b638d9bef4.exe 1648 77438645917ca43a178aa7b422a46fde8395d4e917465577958d18b638d9bef4.exe -
Adds Run key to start application 2 TTPs 51 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /X" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /K" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /t" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /k" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /Y" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /l" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /E" biaog.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /N" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /f" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /L" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /b" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /q" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /R" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /c" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /i" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /r" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /e" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /O" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /J" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /A" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /n" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /F" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /V" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /x" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /M" biaog.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 77438645917ca43a178aa7b422a46fde8395d4e917465577958d18b638d9bef4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /G" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /D" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /B" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /S" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /U" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /m" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /h" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /s" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /W" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /H" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /Z" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /I" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /Q" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /v" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /u" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /n" 77438645917ca43a178aa7b422a46fde8395d4e917465577958d18b638d9bef4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /j" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /T" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /d" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /y" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /a" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /C" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /z" biaog.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\biaog = "C:\\Users\\Admin\\biaog.exe /g" biaog.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1648 77438645917ca43a178aa7b422a46fde8395d4e917465577958d18b638d9bef4.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe 1744 biaog.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1648 77438645917ca43a178aa7b422a46fde8395d4e917465577958d18b638d9bef4.exe 1744 biaog.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1648 wrote to memory of 1744 1648 77438645917ca43a178aa7b422a46fde8395d4e917465577958d18b638d9bef4.exe 28 PID 1648 wrote to memory of 1744 1648 77438645917ca43a178aa7b422a46fde8395d4e917465577958d18b638d9bef4.exe 28 PID 1648 wrote to memory of 1744 1648 77438645917ca43a178aa7b422a46fde8395d4e917465577958d18b638d9bef4.exe 28 PID 1648 wrote to memory of 1744 1648 77438645917ca43a178aa7b422a46fde8395d4e917465577958d18b638d9bef4.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\77438645917ca43a178aa7b422a46fde8395d4e917465577958d18b638d9bef4.exe"C:\Users\Admin\AppData\Local\Temp\77438645917ca43a178aa7b422a46fde8395d4e917465577958d18b638d9bef4.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\biaog.exe"C:\Users\Admin\biaog.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1744
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280KB
MD5248e469b017b3d638eb8ba787692cd78
SHA1ded4743f3c0d08983d6caf33b4675fb7614657ac
SHA25620e32acb18d01d6afc2ca56db3ca53d9115b59ab4e23ae462e4438c654199e65
SHA5125d482eb2d4dad79ae3f0d16e79c16651b6c9dce20e39ffa5beac7f14f93b1f1da78c7f1ebc9c2003c018475260b2fcd8e810309f7a2cb93e71071f0d78f00618
-
Filesize
280KB
MD5248e469b017b3d638eb8ba787692cd78
SHA1ded4743f3c0d08983d6caf33b4675fb7614657ac
SHA25620e32acb18d01d6afc2ca56db3ca53d9115b59ab4e23ae462e4438c654199e65
SHA5125d482eb2d4dad79ae3f0d16e79c16651b6c9dce20e39ffa5beac7f14f93b1f1da78c7f1ebc9c2003c018475260b2fcd8e810309f7a2cb93e71071f0d78f00618
-
Filesize
280KB
MD5248e469b017b3d638eb8ba787692cd78
SHA1ded4743f3c0d08983d6caf33b4675fb7614657ac
SHA25620e32acb18d01d6afc2ca56db3ca53d9115b59ab4e23ae462e4438c654199e65
SHA5125d482eb2d4dad79ae3f0d16e79c16651b6c9dce20e39ffa5beac7f14f93b1f1da78c7f1ebc9c2003c018475260b2fcd8e810309f7a2cb93e71071f0d78f00618
-
Filesize
280KB
MD5248e469b017b3d638eb8ba787692cd78
SHA1ded4743f3c0d08983d6caf33b4675fb7614657ac
SHA25620e32acb18d01d6afc2ca56db3ca53d9115b59ab4e23ae462e4438c654199e65
SHA5125d482eb2d4dad79ae3f0d16e79c16651b6c9dce20e39ffa5beac7f14f93b1f1da78c7f1ebc9c2003c018475260b2fcd8e810309f7a2cb93e71071f0d78f00618