Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
81s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
07/11/2022, 18:26
Static task
static1
Behavioral task
behavioral1
Sample
f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe
Resource
win7-20220901-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe
-
Size
176KB
-
MD5
0d90878e9045e5be441a9f3d20f29b6e
-
SHA1
864bf947a5b3b1a7e5f9b2215199ef21bb600e2d
-
SHA256
f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662
-
SHA512
cc56bcd683dd444192941b7ac3d74fba0e3dfb689b6c761663b6afae6b70d290ea7b301fb9da1b4e7ef2d006c8dae0d4ee7f605764ba909b52500e0ae2ebe595
-
SSDEEP
3072:Dhh8C/nROzg7iiwJvXZETcbLn67kLpyRurohZbsn4KhWNUzMzGV5/bBD3ynrul1y:Vh7YU7iiwJvXZETcbLn6YLProhZbsn47
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cieowez.exe -
Executes dropped EXE 1 IoCs
pid Process 1036 cieowez.exe -
Loads dropped DLL 2 IoCs
pid Process 1204 f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe 1204 f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe -
Adds Run key to start application 2 TTPs 55 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /j" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /d" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /B" cieowez.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /x" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /Z" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /M" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /v" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /g" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /A" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /I" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /k" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /L" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /O" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /z" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /Q" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /X" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /T" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /d" f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /a" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /r" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /E" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /e" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /G" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /u" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /J" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /V" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /q" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /H" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /y" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /F" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /K" cieowez.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /s" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /n" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /W" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /Y" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /l" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /o" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /P" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /t" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /h" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /b" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /S" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /w" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /f" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /R" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /D" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /C" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /c" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /p" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /i" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /m" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /N" cieowez.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cieowez = "C:\\Users\\Admin\\cieowez.exe /U" cieowez.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1204 f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe 1036 cieowez.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1204 f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe 1036 cieowez.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1204 wrote to memory of 1036 1204 f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe 27 PID 1204 wrote to memory of 1036 1204 f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe 27 PID 1204 wrote to memory of 1036 1204 f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe 27 PID 1204 wrote to memory of 1036 1204 f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe"C:\Users\Admin\AppData\Local\Temp\f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\cieowez.exe"C:\Users\Admin\cieowez.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1036
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD586f0da2d7b2ae4be075977347250b75c
SHA1aafb3a35c1d9fab640c519fdbd12f4dd32cb02a3
SHA256310a24082225a389be09dd3eba10a02eed541183a7610f6e41f3d693a067c7d4
SHA51214222c945b3848daaeb8abbc07c31c1719fdd2a0e522df35478c882cdc3772dce5af3bb783bba94c9f6828f1460d949fca6d609e2bd2656f9fe6a086356e1f40
-
Filesize
176KB
MD586f0da2d7b2ae4be075977347250b75c
SHA1aafb3a35c1d9fab640c519fdbd12f4dd32cb02a3
SHA256310a24082225a389be09dd3eba10a02eed541183a7610f6e41f3d693a067c7d4
SHA51214222c945b3848daaeb8abbc07c31c1719fdd2a0e522df35478c882cdc3772dce5af3bb783bba94c9f6828f1460d949fca6d609e2bd2656f9fe6a086356e1f40
-
Filesize
176KB
MD586f0da2d7b2ae4be075977347250b75c
SHA1aafb3a35c1d9fab640c519fdbd12f4dd32cb02a3
SHA256310a24082225a389be09dd3eba10a02eed541183a7610f6e41f3d693a067c7d4
SHA51214222c945b3848daaeb8abbc07c31c1719fdd2a0e522df35478c882cdc3772dce5af3bb783bba94c9f6828f1460d949fca6d609e2bd2656f9fe6a086356e1f40
-
Filesize
176KB
MD586f0da2d7b2ae4be075977347250b75c
SHA1aafb3a35c1d9fab640c519fdbd12f4dd32cb02a3
SHA256310a24082225a389be09dd3eba10a02eed541183a7610f6e41f3d693a067c7d4
SHA51214222c945b3848daaeb8abbc07c31c1719fdd2a0e522df35478c882cdc3772dce5af3bb783bba94c9f6828f1460d949fca6d609e2bd2656f9fe6a086356e1f40