Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
179s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29/11/2022, 03:34
Static task
static1
Behavioral task
behavioral1
Sample
769450e7d371b2de969a03992d341df06eb113c3e8827c40fbe085451f4cfd70.exe
Resource
win7-20221111-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
769450e7d371b2de969a03992d341df06eb113c3e8827c40fbe085451f4cfd70.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
769450e7d371b2de969a03992d341df06eb113c3e8827c40fbe085451f4cfd70.exe
-
Size
48KB
-
MD5
fff8d991fe97984fb1710ba5bcfb2b16
-
SHA1
396adbb7e6228b266daa118cea9bd337f5230e44
-
SHA256
769450e7d371b2de969a03992d341df06eb113c3e8827c40fbe085451f4cfd70
-
SHA512
5f44e82ab6a66d4eb60ea2e525f7285ffd6ae1e6e66ea7668f9237e65b12d7ba1c45c192aafb3d11afb9f467849635eb73cdb036523b604b107059981df49ee4
-
SSDEEP
768:ZeNEhmSglfzBv+6wH9H7MfygXaDMFQXD7e:Zeamjfx6NNDsQXD7
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" mhrih.exe -
Executes dropped EXE 1 IoCs
pid Process 664 mhrih.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 769450e7d371b2de969a03992d341df06eb113c3e8827c40fbe085451f4cfd70.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ mhrih.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mhrih = "C:\\Users\\Admin\\mhrih.exe" mhrih.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe 664 mhrih.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4768 769450e7d371b2de969a03992d341df06eb113c3e8827c40fbe085451f4cfd70.exe 664 mhrih.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4768 wrote to memory of 664 4768 769450e7d371b2de969a03992d341df06eb113c3e8827c40fbe085451f4cfd70.exe 83 PID 4768 wrote to memory of 664 4768 769450e7d371b2de969a03992d341df06eb113c3e8827c40fbe085451f4cfd70.exe 83 PID 4768 wrote to memory of 664 4768 769450e7d371b2de969a03992d341df06eb113c3e8827c40fbe085451f4cfd70.exe 83 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81 PID 664 wrote to memory of 4768 664 mhrih.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\769450e7d371b2de969a03992d341df06eb113c3e8827c40fbe085451f4cfd70.exe"C:\Users\Admin\AppData\Local\Temp\769450e7d371b2de969a03992d341df06eb113c3e8827c40fbe085451f4cfd70.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Users\Admin\mhrih.exe"C:\Users\Admin\mhrih.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:664
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD5569b347fb0c0e6fcab715d006b3ad86a
SHA1c2174b0e1e21f33e1dad5b6c153f52db2a4b20db
SHA25603ab65aa713439775f216622a5d0a6e2e6e31fd9446cdcff561707d3f3e75d1f
SHA512104559c87e1c15eb0f2df32674c8dd79476cc2a7f6fb7c5bdd8003a03a1c7aa99ace92f1974e7bd04b38220f2bf325c814669fc999f7371450a54e1018de7d25
-
Filesize
48KB
MD5569b347fb0c0e6fcab715d006b3ad86a
SHA1c2174b0e1e21f33e1dad5b6c153f52db2a4b20db
SHA25603ab65aa713439775f216622a5d0a6e2e6e31fd9446cdcff561707d3f3e75d1f
SHA512104559c87e1c15eb0f2df32674c8dd79476cc2a7f6fb7c5bdd8003a03a1c7aa99ace92f1974e7bd04b38220f2bf325c814669fc999f7371450a54e1018de7d25