Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
56s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
30/10/2022, 20:08
Static task
static1
Behavioral task
behavioral1
Sample
fb557bcc93562d5b68bde6c5577954b4df4597c4b078d99acbae396b60717f29.exe
Resource
win7-20220901-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
fb557bcc93562d5b68bde6c5577954b4df4597c4b078d99acbae396b60717f29.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
fb557bcc93562d5b68bde6c5577954b4df4597c4b078d99acbae396b60717f29.exe
-
Size
223KB
-
MD5
82415e5164f2472b41c7c1c649e9205d
-
SHA1
b3e62f3dff0115a580e78602783a5b896e7f70c3
-
SHA256
fb557bcc93562d5b68bde6c5577954b4df4597c4b078d99acbae396b60717f29
-
SHA512
7499f2d615f851176c7c9244289bdb3314f3a3ef86980ca25571ddce67d89660c53d1c08435e16470117ebf620a689280c82c0341896f9110cdaca2de09f398e
-
SSDEEP
1536:ZIUKX8quuRWNp199xW96ZCVh8s4aBQFNpCeB+DI3GQkVLNSLUUkh1hC7u6WT5l9u:ZpqoNpGVh89Cg0RdXtK9r4U8zWtEW9
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" fb557bcc93562d5b68bde6c5577954b4df4597c4b078d99acbae396b60717f29.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" loriw.exe -
Executes dropped EXE 1 IoCs
pid Process 1316 loriw.exe -
Loads dropped DLL 2 IoCs
pid Process 1280 fb557bcc93562d5b68bde6c5577954b4df4597c4b078d99acbae396b60717f29.exe 1280 fb557bcc93562d5b68bde6c5577954b4df4597c4b078d99acbae396b60717f29.exe -
Adds Run key to start application 2 TTPs 29 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\loriw = "C:\\Users\\Admin\\loriw.exe /e" loriw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\loriw = "C:\\Users\\Admin\\loriw.exe /h" loriw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\loriw = "C:\\Users\\Admin\\loriw.exe /r" loriw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\loriw = "C:\\Users\\Admin\\loriw.exe /b" loriw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\loriw = "C:\\Users\\Admin\\loriw.exe /d" fb557bcc93562d5b68bde6c5577954b4df4597c4b078d99acbae396b60717f29.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\loriw = "C:\\Users\\Admin\\loriw.exe /y" loriw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\loriw = "C:\\Users\\Admin\\loriw.exe /i" loriw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\loriw = "C:\\Users\\Admin\\loriw.exe /d" loriw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\loriw = "C:\\Users\\Admin\\loriw.exe /g" loriw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\loriw = "C:\\Users\\Admin\\loriw.exe /k" loriw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\loriw = "C:\\Users\\Admin\\loriw.exe /p" loriw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\loriw = "C:\\Users\\Admin\\loriw.exe /c" loriw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\loriw = "C:\\Users\\Admin\\loriw.exe /f" loriw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\loriw = "C:\\Users\\Admin\\loriw.exe /a" loriw.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ fb557bcc93562d5b68bde6c5577954b4df4597c4b078d99acbae396b60717f29.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\loriw = "C:\\Users\\Admin\\loriw.exe /w" loriw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\loriw = "C:\\Users\\Admin\\loriw.exe /o" loriw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\loriw = "C:\\Users\\Admin\\loriw.exe /x" loriw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\loriw = "C:\\Users\\Admin\\loriw.exe /q" loriw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\loriw = "C:\\Users\\Admin\\loriw.exe /z" loriw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\loriw = "C:\\Users\\Admin\\loriw.exe /s" loriw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\loriw = "C:\\Users\\Admin\\loriw.exe /n" loriw.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ loriw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\loriw = "C:\\Users\\Admin\\loriw.exe /u" loriw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\loriw = "C:\\Users\\Admin\\loriw.exe /v" loriw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\loriw = "C:\\Users\\Admin\\loriw.exe /t" loriw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\loriw = "C:\\Users\\Admin\\loriw.exe /m" loriw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\loriw = "C:\\Users\\Admin\\loriw.exe /j" loriw.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\loriw = "C:\\Users\\Admin\\loriw.exe /l" loriw.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum fb557bcc93562d5b68bde6c5577954b4df4597c4b078d99acbae396b60717f29.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 fb557bcc93562d5b68bde6c5577954b4df4597c4b078d99acbae396b60717f29.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum loriw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 loriw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1280 fb557bcc93562d5b68bde6c5577954b4df4597c4b078d99acbae396b60717f29.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe 1316 loriw.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1280 fb557bcc93562d5b68bde6c5577954b4df4597c4b078d99acbae396b60717f29.exe 1316 loriw.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1280 wrote to memory of 1316 1280 fb557bcc93562d5b68bde6c5577954b4df4597c4b078d99acbae396b60717f29.exe 27 PID 1280 wrote to memory of 1316 1280 fb557bcc93562d5b68bde6c5577954b4df4597c4b078d99acbae396b60717f29.exe 27 PID 1280 wrote to memory of 1316 1280 fb557bcc93562d5b68bde6c5577954b4df4597c4b078d99acbae396b60717f29.exe 27 PID 1280 wrote to memory of 1316 1280 fb557bcc93562d5b68bde6c5577954b4df4597c4b078d99acbae396b60717f29.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb557bcc93562d5b68bde6c5577954b4df4597c4b078d99acbae396b60717f29.exe"C:\Users\Admin\AppData\Local\Temp\fb557bcc93562d5b68bde6c5577954b4df4597c4b078d99acbae396b60717f29.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Users\Admin\loriw.exe"C:\Users\Admin\loriw.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1316
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
223KB
MD582415e5164f2472b41c7c1c649e9205d
SHA1b3e62f3dff0115a580e78602783a5b896e7f70c3
SHA256fb557bcc93562d5b68bde6c5577954b4df4597c4b078d99acbae396b60717f29
SHA5127499f2d615f851176c7c9244289bdb3314f3a3ef86980ca25571ddce67d89660c53d1c08435e16470117ebf620a689280c82c0341896f9110cdaca2de09f398e
-
Filesize
223KB
MD582415e5164f2472b41c7c1c649e9205d
SHA1b3e62f3dff0115a580e78602783a5b896e7f70c3
SHA256fb557bcc93562d5b68bde6c5577954b4df4597c4b078d99acbae396b60717f29
SHA5127499f2d615f851176c7c9244289bdb3314f3a3ef86980ca25571ddce67d89660c53d1c08435e16470117ebf620a689280c82c0341896f9110cdaca2de09f398e
-
Filesize
223KB
MD582415e5164f2472b41c7c1c649e9205d
SHA1b3e62f3dff0115a580e78602783a5b896e7f70c3
SHA256fb557bcc93562d5b68bde6c5577954b4df4597c4b078d99acbae396b60717f29
SHA5127499f2d615f851176c7c9244289bdb3314f3a3ef86980ca25571ddce67d89660c53d1c08435e16470117ebf620a689280c82c0341896f9110cdaca2de09f398e
-
Filesize
223KB
MD582415e5164f2472b41c7c1c649e9205d
SHA1b3e62f3dff0115a580e78602783a5b896e7f70c3
SHA256fb557bcc93562d5b68bde6c5577954b4df4597c4b078d99acbae396b60717f29
SHA5127499f2d615f851176c7c9244289bdb3314f3a3ef86980ca25571ddce67d89660c53d1c08435e16470117ebf620a689280c82c0341896f9110cdaca2de09f398e