Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    81s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2022, 18:26

General

  • Target

    f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe

  • Size

    176KB

  • MD5

    0d90878e9045e5be441a9f3d20f29b6e

  • SHA1

    864bf947a5b3b1a7e5f9b2215199ef21bb600e2d

  • SHA256

    f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662

  • SHA512

    cc56bcd683dd444192941b7ac3d74fba0e3dfb689b6c761663b6afae6b70d290ea7b301fb9da1b4e7ef2d006c8dae0d4ee7f605764ba909b52500e0ae2ebe595

  • SSDEEP

    3072:Dhh8C/nROzg7iiwJvXZETcbLn67kLpyRurohZbsn4KhWNUzMzGV5/bBD3ynrul1y:Vh7YU7iiwJvXZETcbLn6YLProhZbsn47

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 55 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe
    "C:\Users\Admin\AppData\Local\Temp\f63a7a8e72acd2be17a382c93a86abe891756f421f856918b31faaeb03aa3662.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Users\Admin\cieowez.exe
      "C:\Users\Admin\cieowez.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1036

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\cieowez.exe

    Filesize

    176KB

    MD5

    86f0da2d7b2ae4be075977347250b75c

    SHA1

    aafb3a35c1d9fab640c519fdbd12f4dd32cb02a3

    SHA256

    310a24082225a389be09dd3eba10a02eed541183a7610f6e41f3d693a067c7d4

    SHA512

    14222c945b3848daaeb8abbc07c31c1719fdd2a0e522df35478c882cdc3772dce5af3bb783bba94c9f6828f1460d949fca6d609e2bd2656f9fe6a086356e1f40

  • C:\Users\Admin\cieowez.exe

    Filesize

    176KB

    MD5

    86f0da2d7b2ae4be075977347250b75c

    SHA1

    aafb3a35c1d9fab640c519fdbd12f4dd32cb02a3

    SHA256

    310a24082225a389be09dd3eba10a02eed541183a7610f6e41f3d693a067c7d4

    SHA512

    14222c945b3848daaeb8abbc07c31c1719fdd2a0e522df35478c882cdc3772dce5af3bb783bba94c9f6828f1460d949fca6d609e2bd2656f9fe6a086356e1f40

  • \Users\Admin\cieowez.exe

    Filesize

    176KB

    MD5

    86f0da2d7b2ae4be075977347250b75c

    SHA1

    aafb3a35c1d9fab640c519fdbd12f4dd32cb02a3

    SHA256

    310a24082225a389be09dd3eba10a02eed541183a7610f6e41f3d693a067c7d4

    SHA512

    14222c945b3848daaeb8abbc07c31c1719fdd2a0e522df35478c882cdc3772dce5af3bb783bba94c9f6828f1460d949fca6d609e2bd2656f9fe6a086356e1f40

  • \Users\Admin\cieowez.exe

    Filesize

    176KB

    MD5

    86f0da2d7b2ae4be075977347250b75c

    SHA1

    aafb3a35c1d9fab640c519fdbd12f4dd32cb02a3

    SHA256

    310a24082225a389be09dd3eba10a02eed541183a7610f6e41f3d693a067c7d4

    SHA512

    14222c945b3848daaeb8abbc07c31c1719fdd2a0e522df35478c882cdc3772dce5af3bb783bba94c9f6828f1460d949fca6d609e2bd2656f9fe6a086356e1f40

  • memory/1204-56-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

    Filesize

    8KB